Hacker’s Delight: This Windows File Is Harvesting Your Email Conversations And Passwords
One of the things Microsoft
has been pushing since Windows 8/8.1 is touchscreen operation. Hardware makers are on board too, which is why there are so many 2-in-1 and convertible devices mixing it up with traditional clam shell laptops. But is there a security
trade off? At least one researcher thinks so after discovering disturbing behavior on touchscreen-enabled Windows 10 PCs.
Barnaby Skeggs, an experienced incident responder and digital forensic analyst, claims that Windows 10 PCs with a touchscreen may drop sensitive information into a special file, when the handwriting recognition feature is enabled.
Red Team Tip: Have a shell on a Windows PC with a touch screen? Search for passwords in Waitlist.dat, a full text index of emails and documents used to improve handwriting recognition.
— Barnaby Skeggs (@barnabyskeggs) August 26, 2018
Powershell command below.
Read my research on Waitlist.dat here:https://t.co/Hk764Wqy4j
The file is called WaitList.dat and according to what Skeggs told ZDNet in an interview, it begins collecting certain data when the user starts using handwriting gestures.
"This 'flicks the switch' [registry key' to turn the text harvester functionality on," Skeggs said. "Once it is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing gesture."
Windows Search is based on the information that the Windows Search Indexer collects. This potentially opens the door for the WaitList.dat file to contain snippets from emails, Word documents, contacts, and more. Even worse, Skeggs says that on many of the systems he analyzed, including his own PC, WaitList.dat contained snippets of every document and email on the system, even from files that had been erased.
There's an obvious security implication there. If an attacker is able to compromise a PC with malware, he or she could focus on the WaitList.dat file and potentially pluck a gold mine of sensitive information. Furthermore, the attacker only need use a set of Powershell commands.
Since this is not an actual security hole and WaitList.dat is working as it was designed, it will be interesting to see how Microsoft handles the situation, if at all