This Windows file may be secretly hoarding your passwords and emails

[nir]

A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.

 

If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years.

 

This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.

 

The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.

 

The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.

 

"In my testing, population of WaitList.dat commences after you begin using handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on."

 

"Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.

 

Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text.

 

"The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet.

 

"On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added.

 

Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

 

"If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file," he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.

 

The technique and the existence of this file have been one of the best-kept secrets in the world of DFIR and infosec experts. Skeggs wrote a blog post about the WaitList.dat file back in 2016, but his discovery got little coverage, mostly because his initial analysis focused on the DFIR aspect and not on the privacy concerns that may arise from this file's existence on a computer.

 

But last month, Skeggs tweeted about an interesting scenario. For example, if an attacker has access to a system or has infected that system with malware, and he needs to collect passwords that have not been stored inside browser databases or password manager vaults, WaitList.dat provides an alternative method of recovering a large number of passwords in one quick swoop.

 

Skeggs says that instead of searching the entire disk for documents that may contain passwords, an attacker or malware strain can easily grab the WaitList.dat and search for passwords using simple PowerShell commands.

 

Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.

 

This file is not dangerous unless users enable the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises the user's system, either through malware or via physical access.

 

While this may not be an actual security issue, users focused on their data privacy should be aware that by using the handwriting recognition feature, they may be inadvertently creating a giant database of all the text-based files found on their systems in one central location.

 

According to Skeggs, the default location of this file is at:

 

C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat

 

Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable "Personalised Handwriting Recognition" feature in their operating system's settings panel.

 

Back in 2016, Skeggs also released two apps[1, 2] for analyzing and extracting details about the text harvested in WaitList.dat files.

 

Source

 

 

[straycat19]

ZDNet must be running out of ideas for articles by rehashing old junk like this.  Problem was solved several years.

[steven36]

On 9/19/2018 at 6:48 PM, straycat19 said:

ZDNet must be running out of ideas for articles by rehashing old junk like this.  Problem was solved several years.

It was discovered by  Barnaby Skeggs back in 2016  but no one paid mind to  it then and the problem was never solved  fanboys surged it off like it dont exist, just like you are now.

 

Quote

 

Windows secretly collects sensitive data via Handwriting Recognition tool

Windows has a built-in tool for improving its own handwriting recognition capability, and like many modern, smart features that increase their accuracy over time, it employs user data to do that.

 

Windows Handwriting Recognition has been around for quite a while. Many Windows users who prefer touch-screen or stylus as input methods know the importance of this feature. However, the same, seemingly “innocent” feature is actually tracking your texts. According to a recent discovery, a Windows file named WaitList.dat secretly stores your texts with the help of Windows Search Indexer service. This includes everything from your passwords, emails, texts, and private chats.

This feature was first introduced in Windows 8 as part of its big drive toward touchscreen functionality. It automatically translates touch or stylus (these are the best ones) inputs into formatted text, improving its readability for the user, and giving other applications the ability to comprehend it. It means the secret tracking of users has been occurring for a number of years. Some are concerned that the way it stores that information could prove to be a security risk.

Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs first discovered the information about the file back in 2016 but wasn’t paid much attention. However, after a new and exclusive interview with ZDNet – it appears that the file, in fact, is reasonably dangerous.

Every touch-screen Windows PC with a handwriting recognition feature enabled maintains this file storing users text.

“Once it (handwriting recognition tool) is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.

Considering how ubiquitous the Windows search indexing system is, this could mean that the content of most documents, emails, and forms ends up inside the WaitList file. The concern is that someone with access to the system — via a hack or malware attack — could find all sorts of personally identifiable information about the system’s owner. Worse yet, WaitList can store information even after the original files have been deleted, potentially opening up even greater security holes.

 

Source