WaitList.dat file secretly stores written snippets and much more

by Mark Tyson on 24 September 2018, 12:11

Tags: Microsoft (NASDAQ:MSFT), Windows 8, Windows 10

Quick Link: HEXUS.net/qadxtw

Add to My Vault: x

A Windows feature has been uncovered which may be of concern to some but isn't thought to be a 'bug'. Security researcher Barnaby Skeggs was investigating a Windows system file called WaitList.dat which arrived with the release of Windows 8. Not all Windows 8+ PC users will find the file, as it is activated when a user enables the handwriting recognition feature. Once activated, it stores text strings that are input, to help Windows improve prediction, detection and suggestions for handwriting. However, once activated it doesn't restrict itself to saving text strings from your pen input, it also saves keyboard input, and Windows search indexing data.

Last week Skeggs took part in an interview with ZDNet. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures. This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." Skeggs told ZDNet. As mentioned in the intro, it doesn't restrict itself to data harvesting from your scrawl "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs asserts.

If you have a WaitList.dat file on your system and peer inside you can find all sorts of potentially risky information. Of course to get to this file an 'attacker' would need to have access to your system somehow, directly or remotely. In WaitList.dat you could easily find passwords and other sensitive security info you might have typed into an email or document in the past. Notably, even if you delete a document its keystrokes may be saved in WaitList.dat. "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," Skeggs told ZDNet.

Apparently this file has been well known to DFIR and infosec experts since 2016 but recently Skeggs highlighted in a Tweet how an attacker quickly could grab just this one file to potentially reveal lots of user data in one swoop. WaitList.dat is a very juicy target and may be much quicker / easier to swipe than browser databases or password manager vaults.

Despite the above, Skeggs recognises WaitList.dat as a feature rather than a bug or vulnerability. If you want to check if you have this file on your PC it is usually stored at C:\Users\%UserName%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\ and called 'WaitList.dat'.

Representation of the relationship between Ink Applications and the IPS

I've checked my PC and found I do indeed have a WaitList.dat file that weighs in at 1.29MB. If that's pure text it could contain a lot of data. I've not had time to look through my WaitList file yet and I have a standard desktop PC without a stylus so am not sure why this was activated on my system. It might be due to the Traditional Chinese text input method installed as an alternative keyboard.

To disable the feature you can head on over to Windows Services and scroll down to 'Touch Keyboard and Handwriting Panel Service'. Right click to stop the service (if it is enabled).



HEXUS Forums :: 15 Comments

Login with Forum Account

Don't have an account? Register today!
Well,
I have a desktop, and this feature is turned on!

But, couldn't found the file (even in the hidden files). Is this something Microsoft already addressed?
Not to belittle the information but that has been known about for a very long time, am I being a little tin-foil hat when he is "Seeking job opportunities in Australia for Jan 2019"?
Well, my antipathy to W10 is no secret, and that antipathy started with W8, so I'll put that out there in the interests of full disclosure.

What probably isn't so much of a '“no secret”, as in harder to remember, is why my suspicion and antipathy started with W10, which centred around a series of MS ‘decisions’, and corporate announcements, all of which in my opinion spoke volumes about MS's full-blown centrism on what was right for them, and a complete disregard for the best interests of users, and this speaks volumes, whether old news or not.

Who in their right mind, and I mean what complete and utter moron of a developer/team, thought that in any universe, it was a good idea to indulge in this kind of ‘secret’ data capture without, at an absolute minimum, a very clear, plainly worded and explicit warning to users whenever anything was done that activates this.

I mean, the vast majority of users aren't security experts and most are barely computer-literate, and this presents an enormous, whopping-great security risk, which is pnly conceivably excusable if MS clearly warned users.

The fact that this file is required to somehow train and improve handwriting capture is no excuse for such a potentially dsnaging security risk, and such a pathetic reason for potentially exposing millions of users in order to help their feature improve tells me all I need to know about how much consideration MS give to their users.


Each time I mention my very considerable scepticism about putting our entire lives on electronic devices, I get called, jn various manners usually involving tinfoil and headwear, paranoid. Is it really paranoia if you are being followed tracked, digitised and databased?

I've pointed out before thatcI have a whole network of machines that are not net-connected. Instead, they're air-gapped. Why? Because I don't know enough, or have enough time, to ensure stuff I put on a machince cannot be compromised. But if it is completely air-gapped, it does at least restrict any hacker to requiring physical access. And if, as in my case, data is at least thorougjly encrupted (as mine is) and in the case of very sensitive dwta, stored or removablw media that are only inserted when I need them, and otherwise securely locked away, it is reasonably secure even against someone with physical access.

As time goes on, all I see is greater and greater risk of data being compromised, if not on your machine then on systems of someone you've given it to be it bank, phone provider, online shop or even HMRC.

So, when I recently recently had a request from a solicitor to email some information they needed, including name, address, DOB, etc, and proof of ID including copies of driving licence, birth cert, passport, and utility bills I laughed at the notion of emailing such copies. Hell, no. I'll bring ‘em in and they can examine whatever they need, but they’re not, under sny circumstances, getting what amounts to an identity thief's wet dream of a theft starter kit by email.

Maybe I am paranoid, but if I'm not extremely careful, it's 100% certain nobody else is going to do it for me.

Which is why, whstever their supposed excuse, MS sneaking around behind user's backs doing this kind of thing is utterly inexcusable and a gross breach of trust.

And you lot wonder why I'm not trusting? ;) :D
This sort of covert data gathering isn’t new. Index.dat files gathe web browsing behaviour (and other things) and those files can be very persistent. And the have been around since Windows 95.
Unless it's not on windows 10 pro I don't see the file either and I have written input enabled (for when I have my graphics tablet in), the thing is that when it's enabled the VERY first thing I do (actually think it's during install) is disable the bits which send data back to Microsoft (not that I really think they'd do anything nefarious with it but I see no reason for it) which supposedly help ‘improve’ the way it works etc.