Hidden flaw in Windows laptops and desktops allows unauthorized login (identity theft)

A fresh report from ERNW, a German security research firm, has detailed a vulnerability within Windows Hello for Business — Microsoft’s passwordless authentication system. The research, part of a project funded by Germany's Federal Office for Information Security (BSI), demonstrates how attackers with prior access to a device can exploit the system’s design to commit a form of identity theft.

This attack, dubbed “The Face Swap,” leverages the way Windows Hello handles biometric data — instead of using a user's biometrics for direct authentication, the system uses it to unlock a cryptographic key stored on the system. ERNW researchers found that an attacker with administrative privileges can access and manipulate the database that links a user’s identity to their stored biometric template.

In a proof-of-concept attack, the researchers successfully swapped the identifiers between two enrolled users. The swap completely tricked the system; an attacker could sit in front of the computer's camera, and Windows Hello would use their face to grant them access to the victim’s account, including all their corporate network resources, files, and data.

In a layman's terms, on any Windows computer (with Windows Hello) with multiple user profiles, this security flaw allows anyone with an administrative account to steal the identity of other users in the system.

ERNW says it has disclosed its findings to Microsoft but suspect a fundamental fix is unlikely, as it would require an overhaul of the system's architecture. In a separate incident, ERNW reported a critical flaw in Linux systems that allowed attackers full access to those systems about two weeks ago.