'WaitList.dat' Windows File May Be Secretly Hoarding Your Passwords, Emails (zdnet.com)

← Back to Stories (view on slashdot.org)

'WaitList.dat' Windows File May Be Secretly Hoarding Your Passwords, Emails (zdnet.com)

Posted by BeauHD on Wednesday September 19, 2018 @10:40AM from the security-risks dept.

A file named WaitList.dat, found only on touchscreen-capable Windows PCs, may be collecting your sensitive data like passwords and emails. According to ZDNet, in order for the file to exist users have to enable "the handwriting recognition feature that automatically translates stylus/touchscreen scribbles into formatted text." From the report: The handwriting to formatted text conversion feature has been added in Windows 8, which means the WaitList.dat file has been around for years. The role of this file is to store text to help Windows improve its handwriting recognition feature, in order to recognize and suggest corrections or words a user is using more often than others. "In my testing, population of WaitList.dat commences after you begin using handwriting gestures," [Digital Forensics and Incident Response expert Barnaby Skeggs] told ZDNet in an interview. "This 'flicks the switch' (registry key) to turn the text harvester functionality (which generates WaitList.dat) on." "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature," Skeggs says.

Since the Windows Search Indexer service powers the system-wide Windows Search functionality, this means data from all text-based files found on a computer, such as emails or Office documents, is gathered inside the WaitList.dat file. This doesn't include only metadata, but the actual document's text. "The user doesn't even have to open the file/email, so long as there is a copy of the file on disk, and the file's format is supported by the Microsoft Search Indexer service," Skeggs told ZDNet. "On my PC, and in my many test cases, WaitList.dat contained a text extract of every document or email file on the system, even if the source file had since been deleted," the researcher added. Furthermore, Skeggs says WaitList.dat can be used to recover text from deleted documents.

40 comments

Min score:

Reason:

Sort:

Only a fucking millennial by Anonymous Coward · 2018-09-19 11:02 · Score: 0, Insightful

Would think it is newsworthy that a search index stores copies of the stuff it indexed or that another process that wants to use that index might want a copy of it for when the index file is locked for updating
holy Christ
1. Re:Only a fucking millennial by Anonymous Coward · 2018-09-19 11:21 · Score: 0
  
  Why would an index want or need to store copies of the stuff it indexed? Do you even code, bro?
2. Re:Only a fucking millennial by omnichad · 2018-09-19 11:26 · Score: 4, Informative
  
  It's effectively acting as an indexing keylogger too, though. Not just the contents of documents.
3. Re: Only a fucking millennial by Anonymous Coward · 2018-09-19 11:33 · Score: 0
  
  what the fuck do u think an index is
4. Re: Only a fucking millennial by CaptainDork · 2018-09-19 11:44 · Score: 3, Funny
  
  An index describes the positional status of a single playing card relative to a stack of them.
  Some are out of the decks (outdex) and some are in the decks (index).
  
  --
  It little behooves the best of us to comment on the rest of us.
5. Re: Only a fucking millennial by Anonymous Coward · 2018-09-19 11:50 · Score: 1
  
  An index should probably be shorter than the material it indexes. That implies discarding some data. Like maybe the order of words in the document, or how often they are repeated. Especially in this context where you're hoping to basically store unique words.
6. Re: Only a fucking millennial by Anonymous Coward · 2018-09-19 13:48 · Score: 0
  
  Guys... I think the previous AC, the one panicking about the mlocate db... might just have been making a joke.
7. Re:Only a fucking millennial by Anonymous Coward · 2018-09-20 04:02 · Score: 0
  
  Sort of like how Google tracks everything you type on Google Docs and Search?
8. Re:Only a fucking millennial by thegarbz · 2018-09-20 05:37 · Score: 1
  
  Yeah but being 100% optional and also quite clear on that feature I don't know what else people thought ticking this box would achieve.
  "I want you to watch what I type so you get to know me better, ... oh but don't watch what I type!"
9. Re:Only a fucking millennial by omnichad · 2018-09-20 05:44 · Score: 1
  
  Passphrases that are obviously not single dictionary words could easily be excluded. And passwords that have spaces in them would already be broken up in the index. It's the lack of a validating dictionary that makes it a problem.
10. Re:Only a fucking millennial by thegarbz · 2018-09-20 20:25 · Score: 1
  
  And passwords that have spaces in them would already be broken up in the index.
  
  Why would you assume that? One of the biggest problems with handwriting recognition is the inability to recognise non-dictionary words and unexpected spaces
11. Re: Only a fucking millennial by Anonymous Coward · 2018-09-21 08:47 · Score: 0
  
  Name checks out.
12. Re:Only a fucking millennial by omnichad · 2018-09-21 09:23 · Score: 1
  
  I should have said that as passphrases (with dictionary words).
Re:I propose an experiment: by UnknownSoldier · 2018-09-19 11:25 · Score: 4, Insightful

Wrong solution to a different problem.
Instead, stop shitty Operating Systems that don't understand security.
Passwords? by Anonymous Coward · 2018-09-19 11:30 · Score: 0

I get where the concern is of "omg it's got muh emails!", but where do passwords come in?
1. Re:Passwords? by viperidaenz · 2018-09-19 11:37 · Score: 1
  
  From people who type their passwords in to clear-text documents that Windows Search Indexer can index.
2. Re:Passwords? by Anonymous Coward · 2018-09-19 12:08 · Score: 1
  
  From people who type their passwords in to clear-text documents that Windows Search Indexer can index.
  Or if someone sent you a password in email.
3. Re:Passwords? by Antique+Geekmeister · 2018-09-19 14:31 · Score: 2
  
  I've had that discussion, many times. "No one is interested in us", "The email is internal", and "They won't get it any other way". The prize foolishness was the head of security who insisted on sending user's login passwords, in plain text email, so that he would have a copy and be able to test it if they reported problems, set no expiration policy for these new passwords, and set no "must change password on first use" policy. The result was that obsolete email set to people who were still employed but never used that password, such as contractors with their own offsite systems, had permanently vulnerable in plain text on the email system for more than 15 years that I measured.
4. Re:Passwords? by Anonymous Coward · 2018-09-20 01:48 · Score: 0
  
  Well, yes, but it has no context that there is a password in there. Singling out passwords implies that the system knows when it has scanned a string of text that constitutes a password.
5. Re:Passwords? by chrish · 2018-09-20 03:23 · Score: 1
  
  If it indexes things in the Clipboard, that's going to be all the passwords if you're security conscious and using a password manager.
  
  --
  - chrish
Re:KGB Involvement? by Anonymous Coward · 2018-09-19 12:22 · Score: 0

>_ Sources also tell us there might be some links to KGB hackers injecting code thru backdoor Windows vulnerabilities to read this file to gain access/information to election systems and voters themselves.
Yeah, sure, why not? Weren't the Chinese available to take the blame this time? Or Canadians, they're always at hand...
Well, it might be Russians, who knows?
It's kind of a mystery for me how Windows is still the most used OS in China...
Plan9 OS Would Never Fuck Me Over by Anonymous Coward · 2018-09-19 12:48 · Score: 0

Plan9 OS, your beautiful friend.
1. Re: Plan9 OS Would Never Fuck Me Over by Anonymous Coward · 2018-09-19 14:20 · Score: 0
  
  Plan9?!? Seriously... How are you going to trust an operating system from OUTER SPACE?!? Heheheheh....
2. Re:Plan9 OS Would Never Fuck Me Over by Anonymous Coward · 2018-09-21 00:36 · Score: 0
  
  Isn't that the one that killed Bela Lugosi?
Where is this? by Anonymous Coward · 2018-09-19 13:02 · Score: 0

I just did a search on my machine and there is no WaitList.dat file. Nada, not a thing.
What? Another Linux guy pulling shit out of their armpit.
1. Re: Where is this? by Anonymous Coward · 2018-09-19 13:56 · Score: 0
  
  It said on touchscreen enabled devices. Probably more common on windows tablets especially. I use a Windows 10 tablet (it was a gift) every night. I'm gonna check later when I get home. If it's on my hard drive I'll open it in my disassembler and see if there are any interesting strings or something.
2. Re: Where is this? by Anonymous Coward · 2018-09-19 16:36 · Score: 0
  
  O-ac here, not on my windows 10 Asus B121 tablet, not on my desktop with Wacom Intuos graphics pad and on my Lenovo Flex 5 1570. Nothing - Nada.
Re:I propose an experiment: by Anonymous Coward · 2018-09-19 13:37 · Score: 0, Funny

stop shitty Operating Systems that don't understand security.
WARNING!!!! On Linux the /var/lib/mlocate/mlocate.db file is tracking every file you or any software on your computer creates. You don't even have to open a file for it to be included! Scary hackers can directly look at it to see where you store your passwords.odf file and then get access to everything. EVERYTHING!!! Including all the porn you hid in your nrop folder. Ahhhhhhhhhhhhh!!
Also everything you've ever deleted is in the Trash folder!!! Any one can pick your trask. Sign up now for my $10 a month service* and I'll send a dump truck through the information highway to your computer to compress all those important documents into nothing.
*Intro pricing.
Water is wet, sky is blue.. by hairyfeet · 2018-09-19 13:40 · Score: 2, Interesting

Windows on tablets sucks and security has become a punchline under Nutella, now here is Holly with the forecast...."the sun will come up tomorrow, back to you Chuck".
I mean is ANYBODY at this point surprised? Really? The first thing Nutella did when he took over was fire the QA and testing teams and make the users the beta testers (because that worked SOOO well for the games industry) and what have we seen from Redmond ever since? They can't put out a rolling release without breaking so many pieces of common hardware and software that its now more buggy than a Linux alpha build, security is a damned joke, and now we find surprise surprise they are storing sensitive info in a fricking .DAT file like its 1996...sigh.
I told ya you'd end up missing the Sweaty Monkey, at least all he did was try to steal Apple's "make it all pretty and shit" but that crap was easily stripped out and it was still a solid OS underneath the tacky paint, under Nutella? Its a clusterfuck, its all of Google's bad habits without any of their engineering skills.

--
ACs don't waste your time replying, your posts are never seen by me.
1. Re: Water is wet, sky is blue.. by Synonymous+Homonym · 2018-09-19 16:33 · Score: 3, Insightful
  
  Don't fool yourself. It has never been solid.
  Security-wise you used to get worms before the setup for the installer was ready.
2. Re:Water is wet, sky is blue.. by thegarbz · 2018-09-20 05:40 · Score: 1
  
  and security has become a punchline under Nutella
  How so? Based on past performance our chocolaty fiend has a long way to go before he oversees security dramas even remotely the size of the previous two CEOs. Sure MS doesn't have a great reputation, but to claim it has become a punchline under Nutella isn't at all backed up by any data, or any of your examples (unless you are confusing the words security and reliability in which case I wholeheartedly continue to disagree since this trend was started with Windows 8 under the watchful eye of the Ranting Monkey).
3. Re:Water is wet, sky is blue.. by hairyfeet · 2018-09-21 12:41 · Score: 1
  
  Dude the OS is dumping highly sensitive data in the equivalent of a .txt file....like I said they WANT to slurp all the data like Google but just as MSFT made for a shitty Apple clone they now make for a shitty Google clone.
  BTW look up "Windows 10 vulnerability" to see that yeah their security is going downhill, its just not being reported nearly as much as the press are busy with their iPhones and Android tablets and really no longer give a fuck about has been MSFT. Ever since they went rolling release they have garnered such a bad rep they would basically need a Code Red level hack for anybody to give the slightest of fucks about MSFT, the expectations from that company are so damned low they...well they are looked at as about as quality as your average shitty AAA game developer now, a buggy POS is pretty much expected.
  Frankly their new slogan should be "Microsoft....All of the bad practices of Apple and Google and none of the fashion taste or engineering skill"
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
4. Re:Water is wet, sky is blue.. by thegarbz · 2018-09-23 01:56 · Score: 1
  
  Dude the OS is dumping highly sensitive data in the equivalent of a .txt file...
  A process that was also present in Windows 8 which introduced the feature. Just because it was discovered NOW doesn't back up the notion that security has gotten worse under Nudella. It only serves to reinforce how shitty it was under Balmer and that it hasn't gotten any better.
  
  BTW look up "Windows 10 vulnerability" to see that yeah their security is going downhill
  Look up Windows 8 vulnerability to see that it hasn't budged. Or maybe compare it to Windows 7 pre-SP1 days. Windows security is a joke, but it always has been. It has historically and universally taken several years of bug fixing to fundamentally fix security flaws.
Modest news by ckatko · 2018-09-19 13:40 · Score: 1

Nothing super threatening--you have to opt-in. Nobody known was affected. And Microsoft will have a patch out within like, two weeks.
I mean, it's good to know about this stuff to watch for trends. But this will have zero effect on anyone's lives, nor Microsoft's stock. Like a murderer, goes on trial, and goes to jail. You can talk about trends maybe, but the murderer is already in jail. He's not a direct threat to any of us. So it's not like "tonight at 10. this thing in your house WILL KILL YOUR CHILDREN if you don't know about it."
1. Re:Modest news by Anonymous Coward · 2018-09-19 15:33 · Score: 0
  
  Sounds like you have a prospective job as the h&s, hr and quality assurance officer at Dodgy Brothers Inc. Taringa.
2. Re:Modest news by Anonymous Coward · 2018-09-20 04:30 · Score: 0
  
  You have to understand what is happening before opting in.
  the overwhelming majority of users don't.
  'Opt-In' is too often an excuse for bad practices.
Windows had handwriting recognition in XP by Anonymous Coward · 2018-09-20 04:12 · Score: 1

It was not introduced in windows 8 like the OP says. Now, this could be a newer feature of the handwriting service that was introduced in 8, I don't know. Also mentioned is a registry key that activates this feature, so you could use that to disable it.
An idea that I just had involves taking ownership of that file (or create an empty one in its place), set it to read only, and revoke permissions from every user, including SYSTEM. That may prevent the file from getting populated (search or handwriting features may no longer work as expected)