Sticky Notes is it safe?
What if i told you it’s better to forget your password than write it down into a sticky note.
Background
Sticky Notes is a desktop notes application included in Windows 7, Windows 8, and Windows 10. The app enables users to quickly take notes using post-it note–like windows on their desktop. Sticky Notes originated in Windows XP Tablet Edition in 2002 and was included with Windows Vista as a gadget for the Windows Sidebar.
According to Microsoft, there were eight million monthly Sticky Notes users as of April 2016.It’s built in Outlook.com and Microsoft Teams.
Its was bothering me where those notes that i write down are stored?
First, I used Procmon to monitor which files are loading while the sticky Notes application is launching . After then I focused on identifying the location of files that has been modified with any read\write actions.
I got those following conclusion:
- The default storage path for Windows Sticky Notes is:
C:\Users\username\AppData\Roaming\Microsoft\Sticky Notes
which mean that low privilege user can have access to those files.
Sticky Notes file extensions may be different on different OS
- StickyNotes.snt is most suitable for Windows 8.1/8/7.
- plum.sqlite is mainly used for Windows 10.
Adversaries may take advantage of that method by copying those files to another location such as external hard drive or flash drive, then loading them on their own machine in order to reading the victim notes.
How can we load those Sticky Notes?
copy those following files
- plum.sqlite-wal
- plum.sqlite-shm
- plum.sqlite
- Ecs.dat
into this folder
C:\Users\username\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState.
After loading these files into said folder and opening the sticky notes application, the stolen notes will appear allowing attackers to read the notes.
Conclusion
Sticky notes is an easy to use way of storing private notes. The content however, is not stored in a secure way and thus users should think twice before storing sensitive information such passwords in these notes.
