After Recall's mess, Microsoft isn't beating the security loopholes allegation any time soon

Recall was a mess.

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Whistleblower Andrew Harris exposed a critical flaw in AD FS, ignored to protect contracts.
  • This flaw led to the SolarWinds cyberattack, compromising U.S. federal agencies.
  • That’s not the only recent security-related concern that Microsoft has been facing recently.
Microsoft building

Microsoft’s ambitious AI goal with the Copilot+ PC hardware, despite its demanding specifications, is noteworthy. A key feature, Recall, allows users to search for anything they’ve ever done on their desktop, essentially letting them “recall” all past activities.

But even then, the disastrous reception from audiences alike and concerns over security loopholes have somewhat hindered what this feature could have potentially become. Microsoft had to move fast, which they did, but the damage was done as the Redmond company doesn’t have the best track record for caring for what people want.

And now, a recent tell-all expose by a former Microsoft employee has accused the company of prioritizing profit over addressing a critical software flaw. While this has nothing to do with Microsoft’s push for AI, it still tells a big story about how a business prioritizes profits over security.

Published by ProPublica, the whistleblower, Andrew Harris, alleged that Microsoft ignored warnings to avoid losing government contracts. He said that he discovered and reported a critical flaw in Microsoft’s software that could allow attackers to impersonate legitimate users.

This flaw, found in Microsoft’s Active Directory Federation Services (AD FS), allowed attackers to forge authentication tokens by using the SAML protocol for authentication, enabling bad folks to impersonate legitimate users and access sensitive data without detection.

The vulnerability was exploited in the SolarWinds cyberattack, compromising several U.S. federal agencies, including the National Nuclear Security Administration and the National Institutes of Health.

Despite internal concerns, Microsoft’s inaction left many systems vulnerable, resulting in a major security breach and exploitation by Russian hackers.

Ouch.

User forum

0 messages