WaitList.dat - This Windows file may be secretly hoarding your passwords and emails

Discussion in 'Windows OS and Software' started by hmscott, Sep 28, 2018.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    5,066
    Messages:
    17,771
    Likes Received:
    21,806
    Trophy Points:
    931
    This Windows file may be secretly hoarding your passwords and emails
    A little-known Windows feature will create a file that stores text extracted from all the emails and plaintext-files found on your PC, which sometimes may reveal passwords or private conversations.
    By Catalin Cimpanu for Zero Day | September 19, 2018 -- 07:41 GMT (00:41 PDT)
    https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/

    "If you're one of the people who own a stylus or touchscreen-capable Windows PC, then there's a high chance there's a file on your computer that has slowly collected sensitive data for the past months or even years.

    This file is named WaitList.dat, and according to Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs, this file is only found on touchscreen-capable Windows PCs where the user has enabled the handwriting recognition feature [1, 2] that automatically translates stylus/touchscreen scribbles into formatted text.

    The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years.

    The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others.

    "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," Skeggs told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on."

    "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.

    Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text.

    "The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs toldZDNet.

    "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added.

    Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

    "If the source file is deleted, the index remains in WaitList.dat, preserving a text index of the file," he says. This provides crucial forensic evidence for analysts like Skeggs that a file and its content had once existed on a PC.

    The technique and the existence of this file have been one of the best-kept secrets in the world of DFIR and infosec experts. Skeggs wrote a blog post about the WaitList.dat file back in 2016, but his discovery got little coverage, mostly because his initial analysis focused on the DFIR aspect and not on the privacy concerns that may arise from this file's existence on a computer.

    But last month, Skeggs tweeted about an interesting scenario. For example, if an attacker has access to a system or has infected that system with malware, and he needs to collect passwords that have not been stored inside browser databases or password manager vaults, WaitList.dat provides an alternative method of recovering a large number of passwords in one quick swoop.

    Skeggs says that instead of searching the entire disk for documents that may contain passwords, an attacker or malware strain can easily grab the WaitList.dat and search for passwords using simple PowerShell commands.
    Skeggs has not contacted Microsoft about his findings, as he, himself, recognized that this was a part of an intended functionality in the Windows OS, and not a vulnerability.

    This file is not dangerous unless users enable the handwriting recognition feature, and even in those scenarios, unless a threat actor compromises the user's system, either through malware or via physical access.

    While this may not be an actual security issue, users focused on their data privacy should be aware that by using the handwriting recognition feature, they may be inadvertently creating a giant database of all the text-based files found on their systems in one central location.

    According to Skeggs, the default location of this file is at:

    C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat

    Not all users may be storing passwords in emails or text-based files on their PCs, but those who do are advised to delete the file or disable "Personalised Handwriting Recognition" feature in their operating system's settings panel.

    Back in 2016, Skeggs also released two apps[1, 2] for analyzing and extracting details about the text harvested in WaitList.dat files."

    It's been around since Windows 8...and still in Windows 10...

    C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.dat

    It's been known about since Windows 8 beta, when it got added to the touch interface from Windows 7, there is a TextHavester related dir then too, from 2012, and here's an article from 2016:

    Touch Screen Lexicon Forensics (TextHarvester / WaitList.dat)
    https://articles.forensicfocus.com/...lexicon-forensics-textharvester-waitlist-dat/
     
    Last edited: Sep 28, 2018
    toughasnails likes this.
  2. Primes

    Primes Notebook Deity

    Reputations:
    722
    Messages:
    1,645
    Likes Received:
    602
    Trophy Points:
    131
    Really... "..\TextHarvester\.." How much more flagrant can MS be with their data mining! smh.
     
    hmscott likes this.
  3. Mobius 1

    Mobius 1 nͫٴiͤٴcͫٴeͤ੮Һ૯ ცɿ૭ ૭ค ̷̧̟̭̺͕̜̦̔̏̊̍ͧ͊́̚̕͞ עٴٴٴٴٴٴٴٴ

    Reputations:
    3,315
    Messages:
    9,002
    Likes Received:
    6,295
    Trophy Points:
    681
    Weird, I don't have this.
     
    Vasudev and hmscott like this.
  4. James D

    James D Notebook Prophet

    Reputations:
    2,289
    Messages:
    4,863
    Likes Received:
    1,071
    Trophy Points:
    231
    DataFutures\... or Info4Sale\...
    UserUnderware\... or DirtAnalizator\...
    SceletInFile\... or CluesFinder\...
     
    Vasudev, Primes and hmscott like this.
Loading...

Share This Page