
Windows file may be storing passwords and emails - walterbell
https://www.zdnet.com/article/this-windows-file-may-be-secretly-hoarding-your-passwords-and-emails/#
======
Someone1234
I went into this article skeptical (due to the title, ZDNet, and how often
unreasonable Windows 10 complaints get posted) but this one seems legitimate.

The WaitList.dat really does seem like a legitimate threat to security and
privacy. I don't currently have a touch device to test the including
Powershell script, but I'd be interested to hear what others find.

I actually understand why Microsoft is recording this information (since it
helps them understand the user's sentence structure/words, to make recognition
more accurate) but it is also a huge treasure trove of personal information
that many wouldn't have been aware of.

I wonder if there is a way to store this information more securely?

~~~
ocdtrekkie
It's "legitimate"... but anyone concerned about privacy should've already has
this turned off (as I have ever since Windows 10 released). This won't happen
if you turn off "inking and typing recognition" in the Windows setup screen
during initial install (or later via the Settings app).

[https://privacy.microsoft.com/en-us/windows-10-speech-
inking...](https://privacy.microsoft.com/en-us/windows-10-speech-inking-
typing-and-privacy-faq)

The argument could be made that Microsoft should do a better job to secure
this file on your PC, but since if you're letting them create this file,
they're sending all this data to the cloud anyways...

~~~
dustfinger
>It's "legitimate"... but anyone concerned about privacy should've already has
this turned off

What about those that are ignorant? They may be ignorant about the
implications of having personal data collected. They may be technically
ignorant and thus unaware that they can turn off this feature. In the end it
doesn't matter because the vast majority are, and arguably will remain,
ignorant. Is there privacy no less important?

Features that collect personal information should always follow an explicit
opt in policy to protect the ignorant. If companies are concerned that too
many people will leave these features off then they need to take the steps
required to educate the end user.

~~~
ocdtrekkie
I agree, but my point is that when this setting is already keylogging you and
sending your data to the cloud by default, the fact that it's also stored on
your PC is hardly increasing your risk much.

------
supernovae
This file is the windows search service index file. Here is a parser you can
use to see what it does index.

[https://github.com/B2dfir/wlrip](https://github.com/B2dfir/wlrip)

There may be other files that read this, but it was found with a quick search.

------
DailyHN
Important points:

> text from every document and email which is indexed by the Windows Search
> Indexer service is stored in WaitList.dat

> This doesn't include only metadata, but the actual document's text.

------
SurrealSoul
Yikes. I don't know what is worse, the fact that this file indexes
_Everything_ if you have a touch tablet or this buzzword clickbait title

~~~
craftyguy
The title is not clickbait if it is true..

~~~
Skunkleton
No, the title is click bait. It makes a bold, but non-committal statement
while not providing any real context.

Edit: also a quick google shows that the existence and purpose of the file has
been public knowledge for at least two years.

~~~
chris_wot
I suppose it is the words “hoarding” and “secret” you are concerned about?

~~~
Skunkleton
Someone can write a click baity article about something that is actually
important. That is what has happened here.

------
mjevans
Security, Convenience, Cost - Pick two, at most.

~~~
zokier
Where do I sign up for security+convenience at any cost?

~~~
Angostura
How convenient would you find MacOS?

~~~
matthewmacleod
Big fan of MacOS, but "passwordless root login vulnerability" does not imply a
particularly secure system.

------
kyberias
So the Windows search uses an index to make search faster. Amazing discovery!

~~~
progval
The issue is that this search index contains the plain text.

~~~
kyberias
Of course it contains the plain text. The index is used to search plain text.

It indexes documents on the disc that are already plain text.

It only stores sensitive data if the user had sensitive documents on the disc
that were then indexed.

~~~
progval
But it's possible to have a search index without the plain text. For instance
with a (rolling) hash.

