This Windows File May Be Secretly Hoarding Your Passwords And Emails
(Sep 19, 2018)
Windows machines that have handwriting recognition features enabled that translate stylus and touchscreen writing into formatted texts are susceptible to a Windows “WaitList.dat” file storing sensitive information, such as passwords, without the user’s knowledge. The file is intended to store text to help Windows improve handwriting recognition so it recognises and accurately suggests corrections and/or words based on what a user uses frequently. However, once the handwriting recognition feature is enabled, text from every document and email is indexed into this file, not only the files that interacted with the touchscreen feature. This means that the actual data from the document’s text is stored in the WaitList.dat file, not just the metadata. This means that if threat actors gained unauthorised access to this specific file on a machine, they would have access to sensitive data that is unwittingly stored in it, compromising many facets of information.
Recommendation: If the “Personalised Handwriting Recognition| feature on your Windows machine is enabled, it is recommended to disable this and delete the WaitList.dat file from the system to avoid any possible breach of information.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.