There is a Windows file named WaitList.dat that covertly collects your passwords and email information, with the help of Windows Search Indexer service.
Digital Forensics and Incident Response (DFIR) expert Barnaby Skeggs first discovered the information about the file back in 2016 but wasn’t paid much attention. However, in after a new and exclusive interview with ZDNet – it appears that the file, in fact, is reasonably dangerous.
People who own a touchscreen Windows PC or a stylus-compatible laptop are prone to the dangers of this Windows file. Specifically, users who have enabled the handwriting recognition tool which automatically translates touchscreen scribbles into text format.
Essentially, the file is there to improve the accuracy of the handwriting recognition to come up with better predictive suggestions. But while doing so, the file starts storing actual text from your e-mails and office documents.
“Once it (handwriting recognition tool) is on, text from every document and email which is indexed by the Windows Search Indexer service is stored in WaitList.dat. Not just the files interacted via the touchscreen writing feature,” Skeggs says.
Skeggs also mentions that WatList.dat contains an extract of every recognized text, even if the original file/source has been deleted or removed from the system.
In his last month’s tweet, Barnaby also pointed out the critical dangers of possessing this Windows system file. He said if an attacker wanted to collect sensitive data from a user, instead of searching the whole disk for private information, he would grab the WaitList.dat and search for passwords using simple PowerShell commands.
The default location of the file is C:\Users\%User%\AppData\Local\Microsoft\InputPersonalization\TextHarvester\WaitList.
The handwriting feature is there since Windows 8 which means the vulnerability has been there for many years. However, if you don’t store valuable information like passwords or email on your PC, you aren’t much likely to get affected much.