'It’s not a security vulnerability that users can access files that they have access to, even if the file is a little hard to find' by Raymond Chen seems relevant to the #Recall discussion:

https://devblogs.microsoft.com/oldnewthing/20200113-00/?p=103322

Indeed, you can even find @tiraniddo in the comments, who wrote about the topic recently:

https://www.tiraniddo.dev/2024/06/working-your-way-around-acl.html

I still don't see how *cross-user* access might be achieved *without admin* (as reported by @gossithedog ).

@buherator yeah I don't want to outright say recall data can or cannot be accessed without admin rights unless someone can find definitive evidence. TotalRecall doesn't properly answer that question in their FAQ.

@screaminggoat I believe the root of the confusion is that the data *can* be accessed without admin *by the user who was recorded* (otherwise the feature would be unusable). But this is not the same problem as accessing data of *other users*. I'm pretty sure if someone can demonstrate the latter (cross-user) without admin, that would count as a vuln that MS will fix.

@buherator yeah I'm viewing this from an attacker's perspective. If an infostealer were to grab that data, can be it decoded? Could there be some loophole allowing read access to another person's? If TotalRecall required admin rights, could the attacker just BYOVD or use some other LPE/EoP vulnerability to run it?

@screaminggoat Even if there was some magic crypto involved (e.g. using the TPM) my data would be accessible to me via some viewer app - the malware would probably just hook into that to extract everything.

@buherator @screaminggoat
It's hard imagine any feature that would allow Recall to be usable for the end user, but not usable by malware on said end user's system.

@wdormann @screaminggoat In practice, probably so. But to refine my previous point, encryption would help with one user targeting all user DB's, and even rate limiting would seem like a useful measure with a TPM.

@wdormann @buherator Bear with me: What if Microsoft adds an end-user license agreement (EULA) that specifically forbids an attacker's use of malware on said end user's system? Thus making hacking illegal; Boom, world peace solved.

@screaminggoat @wdormann Oracle actually tried something similar IIRC!

@buherator @wdormann @screaminggoat That would still be pure cosmetics! I don’t see how they could prevent extraction of data without a dedicated hardware component for Recall data storage and processing, which would likely be too expensive for the PC market 🤷

@buherator @gossithedog hah I forgot about that blog post, probably where I came to the conclusion about it being to prevent enumeration :)

@swapgs @wdormann @screaminggoat Yeah, I'm being purely theoretical here, but I think such thought exercises are useful to understand why efforts are put in one area but not another.

@buherator @screaminggoat
FTR, as TotalRecall is currently designed, you need to have admin privs even to access YOUR OWN Recall data.
But that's a limitation in how TotalRecall is currently implemented, as opposed to an aspect of Recall itself.

You do NOT need admin privs to access your own Recall directory contents. Just an appropriate token, which you can grab from another medium-IL process that's running in your session.

I've not seen evidence that you can access another user's Recall data without admin privs.

@wdormann @screaminggoat Thank you, this confirms my understanding of the issue!

@buherator @screaminggoat
Or, as @tiraniddo has mentioned, just set the ACL on the special "restricted" directory. You own it after all.

@wdormann @screaminggoat @tiraniddo Thanks this is also pretty much what I concluded here: https://infosec.place/notice/Aie4B3fNgq3QPbXGdc

Maybe @arstechnica would clarify their piece?

@buherator @screaminggoat @tiraniddo @arstechnica
Regarding "Beaumont says admin access to the system isn’t required to read another user’s Recall database" part?

I don't believe that @GossiTheDog ever said such a thing. (I've seen no evidence that it's true).

I suspect this is an outcome of having played the telephone game.

@wdormann @screaminggoat @tiraniddo @arstechnica

I'm happy to give @GossiTheDog the benefit of doubt here, but posts like the one referenced below *really* don't help getting a clean view of the situation by excluding very relevant aspects of the issue:

https://mastodon.social/@carrot_c4k3/112565972195954438

His blog also includes this:

"In fact, you don’t even need to be an admin to read the database — more on that in a later blog."

...which may be technically true, only ignores the question of the data ownership, which - again - is critical to understand the threat.

@wdormann @buherator @screaminggoat @tiraniddo @arstechnica @GossiTheDog That’s definitely what he seems to be saying here, in his Medium Q&A post, though he didn’t go into detail (yet). Happy to publish an update if I’ve misunderstood what he was saying here, though. https://doublepulsar.com/recall-stealing-everything-youve-ever-typed-or-viewed-on-your-own-windows-pc-is-now-possible-da3e12e9465e

@wdormann @buherator @screaminggoat @tiraniddo @arstechnica @GossiTheDog

Will, what am I missing?

@dangoodin @wdormann @buherator @screaminggoat @arstechnica @GossiTheDog I think Microsoft implies you needed admin to read your own database files so it's "secure", but that's clearly not true. I also don't think Kevin was saying you could do it cross user as that's a much more serious problem.

@dangoodin @wdormann @screaminggoat @tiraniddo @arstechnica

"Beaumont says admin access to the system isn’t required to read another user’s Recall database."

As far as I can tell @GossiTheDog never said you can read *another user's* data without admin.

Based on the information I saw, a non-admin can read their own Recall data, just like you can read your own Word docs, but not other users (in this case access is a bit more complicated, as @tiraniddo explained already).

/cc @andrew_writes

@andrew_writes @buherator @screaminggoat @tiraniddo @arstechnica @GossiTheDog
You don't need to be an admin to read YOUR OWN database.

@wdormann @buherator @screaminggoat @tiraniddo @arstechnica that answer is in between two other answers about UAC not being a security feature and accessing someone else’s database from another account on the same PC, so the implication seemed clear to me, but if @GossiTheDog can clarify then obviously I’ll change it

@GossiTheDog @wdormann @buherator @screaminggoat @tiraniddo @arstechnica tl;dr can non-admin accounts access the Recall database of another user on the same PC?

@GossiTheDog @andrew_writes @buherator @screaminggoat @tiraniddo @arstechnica
You probably don't. 😂
Things you said got telephone gamed.

@andrew_writes @GossiTheDog @buherator @screaminggoat @tiraniddo @arstechnica
No. Unless you're SYSTEM or an Admin, you won't be able to read another user's Recall database.

@wdormann @andrew_writes @screaminggoat @tiraniddo @arstechnica

@GossiTheDog IMO it would really help if you'd just clearly explain whose data an admin and a non-admin user can and can not access, because your previous statements were unclear and it seems this resulted in some misleading information being distributed to the wider public.

@wdormann @GossiTheDog @buherator @screaminggoat @tiraniddo @arstechnica this is what I would normally assume of things in those system folders! But @GossiTheDog implied there were things he was holding back to give MS some time to respond/rework (they’ve done neither, at least not to me) so I may have read more into the post than was intended

@buherator @wdormann @screaminggoat @tiraniddo @arstechnica @GossiTheDog can confirm based on my own testing with Recall as it exists on a Windows Dev Kit 2023 that an admin *can* access another user’s recall data on the same PC by clicking through UAC prompts. And a non-admin can see THEIR OWN recall data. Only thing to clarify (at least for my purposes) is whether a non-admin user can see another user’s data somehow

@GossiTheDog @wdormann @buherator @screaminggoat @tiraniddo @arstechnica looking forward to it! Thanks all.

@andrew_writes @wdormann @screaminggoat @tiraniddo @arstechnica

"Only thing to clarify (at least for my purposes) is whether a non-admin user can see another user’s data somehow" Yes.

@GossiTheDog, can you or can you not read cross-user Recall data without an admin account?

I think it would be important to distinguish between the design decisions of the system (plaintext, SQLite, access controls, ...) and bugs that are clearly violating security boundaries (and will likely be fixed in the short term, e.g. cross-user infoleaks, without admin).