This Windows file may be secretly hoarding your passwords and emails
If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years.
This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.
Also: Microsoft details for the first time how it classifies Windows security bugs
The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.
The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.
"In my testing, population of WaitList.dat commences after you begin using handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on."
Featured
"Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.
Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text.
"The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet.
"On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added.
Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.
"If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file," he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.
Also: Securing Microsoft's Edge browser with Windows Defender Application Guard TechRepublic
The technique and the existence of this file have been one of the best-kept secrets in the world of DFIR and infosec experts. Skeggs wrote a blog post about the WaitList.dat file back in 2016, but his discovery got little coverage, mostly because his initial analysis focused on the DFIR aspect and not on the privacy concerns that may arise from this file's existence on a computer.
But last month, Skeggs tweeted about an interesting scenario. For example, if an attacker has access to a system or has infected that system with malware, and he needs to collect passwords that have not been stored inside browser databases or password manager vaults, WaitList.dat provides an alternative method of recovering a large number of passwords in one quick swoop.
Skeggs says that instead of searching the entire disk for documents that may contain passwords, an attacker or malware strain can easily grab the WaitList.dat and search for passwords using simple PowerShell commands.
Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.
This file is not dangerous unless users enable the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises the user's system, either through malware or via physical access.
While this may not be an actual security issue, users focused on their data privacy should be aware that by using the handwriting recognition feature, they may be inadvertently creating a giant database of all the text-based files found on their systems in one central location.
According to Skeggs, the default location of this file is at:
C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat
Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable "Personalised Handwriting Recognition" feature in their operating system's settings panel.
Back in 2016, Skeggs also released two apps[1, 2] for analyzing and extracting details about the text harvested in WaitList.dat files.
These are 2018's biggest hacks, leaks, and data breaches
Previous and related coverage:
What is malware? Everything you need to know
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
Security 101: Here's how to keep your data private, step by step
This simple advice will help to protect you against hackers and government surveillance.
VPN services 2018: The ultimate guide to protecting your data on the internet
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
Five computer security questions you must be able to answer right now
If you can't answer these basic questions, your security could be at risk.
Critical infrastructure will have to operate if there's malware on it or not
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Ordinary Wi-Fi devices can be used to detect suspicious luggage, bombs, weapons
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.