There's a File in Windows That Might Store Your Sensitive Passwords. What to Do About It?

windows password files what to do

Most of you probably remember the arrival of Windows 8 and the numerous discussions spurred by what many agreed was a pretty poor interface overhaul. Quite a few might have forgotten about the reasons behind the new design, though.

It all had to do with touchscreen devices. Tablets and smartphones were gaining popularity, and the demand for iOS and Android gizmos was enormous. It became apparent at one point that Microsoft had failed to see the trend and had instead put too much trust in its desktop operating system. In a last-ditch attempt to catch up with its Silicon Valley competitors, Microsoft redesigned Windows' look and feel, and made it more touchscreen-friendly. It also produced a mobile version of the operating system, and it even bought the Nokia brand, hoping to win some favors with the more nostalgia-prone users. Did it work?

Well, in 2016, Microsoft got rid of the Nokia-branded phone business, and right now, Windows Mobile's market share is so dismal that the company sees no point in actively developing it. With that being said, there are quite a few Windows ultrabooks and hybrid laptops that do have touchscreens. These devices might have a file on their hard drive that could contain quite a lot of sensitive information.

What is so bad about WaitList.dat?

The file in question was first analyzed by security specialist Barnaby Skeggs nearly two years ago, but his research didn't receive much attention until recently when he brought it up during an online discussion. The name of the file is WaitList.dat, and it's a part of Windows' handwriting recognition feature, which, along with other touchscreen-focused functions, was introduced in Windows 8.

IT companies and their PR teams do tend to abuse terms like "A.I." and "machine learning" quite a lot, but right here, we can see some actual machine learning in action. WaitList.dat is created automatically when you turn on the handwriting recognition feature, and its purpose is to accumulate text which helps Windows guess more reliably what you're trying to scribble.

Where does it get that text from? Your files, that's where.

WaitList.dat relies on the Windows Search Indexer service which you also use when you open a folder that has hundreds of files in it. As some of you may know, the Windows Search Indexer doesn't index file names and metadata only. It also reads the text in your documents so that if you search for an excerpt from a file you've written ages ago, it will find it for you. Portions of text in documents, contact, and email files are also taken by Windows Search Indexer and are stored in WaitList.dat where they are kept for further use by the handwriting recognition tool.

The problem is, quite a lot of sensitive data is often stored and transmitted through documents and emails, and if it is in the documents and emails, it inevitably ends up in WaitList.dat. What's more, if you save your passwords in, say, an Excel spreadsheet, the Windows Search Indexer will indiscriminately scrape them and will store them in WaitList.dat. You can delete the spreadsheet, but that won't remove the passwords from WaitList.dat.

The solution

It should be obvious that attackers with physical or remote access have other means of compromising sensitive information. The WaitList.dat is just another attack vector, though it does seem to be pretty easy to exploit. There's no word on whether or not Microsoft plans to do something about it, but it's pretty clear that this is intended behavior. Apparently, Windows' creators just thought that nobody will be able to find it.

Whatever happens, if you have a touchscreen device that runs on Windows, and if you have enabled handwriting recognition, you might want to think about turning the feature off and removing the WaitList.dat file. It's located in:

C:\Users\[Your Username]\AppData\Local\Microsoft\InputPersonalization\TextHarvester

You must also consider what type of information is stored in unsecured documents and emails. Considering the fact that you have plenty of tools like Cyclonis Password Manager that can help you protect your data, there really is no excuse for not doing it.

September 20, 2018

Leave a Reply