Security researchers have shown that having Microsoft Cortana enabled on the Windows lock screen could be a security risk. In such a configuration, users could compromise a system or lead to or impersonate a user using credentials stored in the browser cache.

The Cortana digital assistant is enabled by default on the lock screen and it can answer questions, voiced or typed, even if the user is not authenticated. While in this state, it relies on Edge and a limited version of Internet Explorer 11 to do its job.

In a report released today, researchers from McAfee detail how this can work to an attacker’s advantage if they have physical access to the device. With some effort and by asking the right questions, the experts were able to point Cortana to a domain under their control without unlocking it. As they had control over this domain, they could have have run any javascript they wanted on the visiting computer’s browser.

Taking over dead or unmaintained domains

The latest findings rely on previous research from McAfee that showed how a malicious actor could abuse Cortana to access data, run malicious code, and even change a locked PC’s password.

Depending on what you ask and how you do it, Cortana can offer a more detailed response, with links from trusted online resources. If there is an official website available for your query, Cortana will show the one listed on Wikipedia.

“We can leverage this information to craft a fake Wikipedia entry, add enough content to get the review to succeed, add an official website link, and see what Cortana presents,” the researchers say.

Although the…