Windows user data on touchscreen-enabled PCs are written to a separate file.
A large number of laptop models and all-in-one workstations nowadays have support for touch input. This is done for the convenience of the user and speeding up the process of his work. But, as it turned out, computer systems with activated touch-input support have one little-known function that jeopardizes the data of users of such systems.
We are talking about devices running the operating system from Microsoft. The fact is that if a computer with activated touch-input is controlled using Windows OS, then the user data of this system, including logins and passwords, are collected in a separate file, and almost in open form. This feature does not work on all Windows PCs with touch input, but only on those with handwriting recognition enabled.
For the first time, Microsoft added this feature to its Windows 8 operating system. The problem is that the data that the user works with is stored in a separate file that is not well protected from external interference. This file is called WaitList.dat, one of the network security experts discovered that after activating handwriting input the file is constantly updated. WaitList.dat is generated by the system immediately after the handwriting recognition option is enabled.
After that, the data of almost any document or email indexed by Windows Search is saved in the specified file. It is worth emphasizing that this is not about metadata, but about textual information from documents. In order for the information to migrate to this file, the user does not need to open e-mail messages or doc files. As soon as they are indexed by the Windows service, everything is automatically stored in the specified location.
Barnaby Skeggs, an information security specialist who was one of the first to discover this problem in Windows, saysthat the file WaitList.dat on his PC stores a “squeeze” of text from any text document or email message. And this is true even if the source file is deleted - the information continues to be stored in WaitList.dat.
“If the source file is deleted, its indexed data continues to be stored in WaitList.dat,” the expert says. This, in theory, provides ample opportunities for attackers who, for one reason or another, decided to examine the data of certain users.
It is worth noting that the problem itself is not a secret. The same Skeggs wrote about her for the first time in 2016, and his post received minimal attention from technical experts. As far as one can understand, technology developers were most concerned about DFIR, and less about the network security of a particular user. For the time being, the problem was not widely discussed.
Last month, Skegg concluded that attackers could (theoretically) steal user data without problems. For example, if an attacker has access to the attacked system, and he needs the passwords and usernames of the hacked PC, then he does not need to look for fragments of logins and passwords, to deal with hashes, etc. - you only need to analyze the WaitList.dat file and get all the necessary data.
Why search for information on the entire disk, especially since many documents can be locked up? Simply copy the file WaitList.dat and continue to analyze it on its side.
It is worth noting that the network security expert who discovered the problem did not contact Microsoft. He believes that this is not a “bug, but a feature”, that is, the developers of the Windows operating system specially designed the system for what it is now. Accordingly, if this is not a vulnerability, then the developers are well aware of it and they can solve the problem at any time.
According to Seggs, the default file location is:
C: \ Users \% User% \ AppData \ Local \ Microsoft \ InputPersonalization \ TextHarvester \ WaitList.dat
If there is no need for Personalized Handwriting Recognition, then it’s best to turn it off for good. In this case, file indexing does not save all data in the specified file without exception.