Security researchers have shown that having Microsoft Cortana enabled on the Windows lock screen could be a security risk. In such a configuration, users could compromise a system or lead to or impersonate a user using credentials stored in the browser cache.

The Cortana digital assistant is enabled by default on the lock screen and it can answer questions, voiced or typed, even if the user is not authenticated. While in this state, it relies on Edge and a limited version of Internet Explorer 11 to do its job.

In a report released today, researchers from McAfee detail how this can work to an attacker’s advantage if they have physical access to the device. With some effort and by asking the right questions, the experts were able to point Cortana to a domain under their control without unlocking it. As they had control over this domain, they could have have run any javascript they wanted on the visiting computer's browser.

Taking over dead or unmaintained domains

The latest findings rely on previous research from McAfee that showed how a malicious actor could abuse Cortana to access data, run malicious code, and even change a locked PC's password.

Depending on what you ask and how you do it, Cortana can offer a more detailed response, with links from trusted online resources. If there is an official website available for your query, Cortana will show the one listed on Wikipedia.

“We can leverage this information to craft a fake Wikipedia entry, add enough content to get the review to succeed, add an official website link, and see what Cortana presents,” the researchers say.

Although the idea could work, it’s far from being a safe bet because content on Wikipedia is subject to vetting by reviewers, who are pretty good at their job. On top of this, the attacker would have to wait for Bing to index the page before Cortana can retrieve the intended answer.

The alternative was to identify unmaintained or dead links for official websites on Wikipedia and purchase them. This is a less noisy method that does away with the disadvantage of waiting for search engine indexing.

Dead "official website" link on Wikipedia added to Cortana's answer

“Many of them are still registered but do not serve any content," reads the McAfee report, referring to the dead links on Wikipedia, adding that "others are live despite the 'dead link' tag. We end up with a list of domains, some more expensive than others, that are vacant.”

Once they own a domain name, the attacker can install an exploit on it. When the link is clicked in Cortana, Edge automatically retrieves the content and infects the Windows 10 PC without the need to unlock it.

This is definitely a loud approach, but talking to a computer in a public place could raise suspicion. A stealthier technique involves $3 worth of electronic equipment to send commands via ultrasound to voice assistant software. The method is known as the DolphinAttack and it works against Cortana and speech recognition products from Amazon, Google, Apple, Huawei, and Samsung.

Use Cortana Skills to browse the web, impersonate the user

Microsoft’s digital assistant can also be used for Internet browsing while Windows is in a locked state. This is possible by invoking Cortana skills - dedicated apps that let you access specific information.

By asking a question that triggers a Cortana skill, you can hop from link to link in the skill and gain access to social media sites, and potentially the rest of the internet.

McAfee researchers say that the online content is loaded by a stripped-down version of Internet Explorer 11 that has JavaScript and Cookies enabled. It also shares the autocomplete and credentials saved in the current Internet Explorer session.

At least theoretically, this could allow an attacker to log into online services and make modifications as the legitimate user if the username and password have been saved in Internet Explorer.

Cortana loads Facebook site on locked PC 

Proximity is essential for this type of compromise to function, so it is unlikely to become popular among cybercriminals. The discovery of the security limitations in the IE 11 version used by Cortana, however, could serve as a ramp for other attacks.

To truly protect yourself from these types of attacks, though, McAfee recommends that you disable Cortana on the lock screen until Microsoft makes it so you cannot navigate to other sites while the computer is locked.