Windows 8 contacts cache exposes personal data

As you probably know, Windows 8 connects with all sorts of networks, social and otherwise. The Metro Mail app has built-in hooks for Hotmail, Gmail, and Exchange; Metro Photos links to Facebook and Flickr; the Metro People app (which stores contacts) can pull data from Hotmail, Gmail, Exchange, Facebook, Twitter, and LinkedIn. All you have to do is log on to Windows 8 with a Microsoft account, then go out and connect the online dots.

You might not know -- at least, I was very surprised to find -- that Windows 8 doesn't build its Contacts list dynamically. Instead, it keeps a cache of contacts from all of those sources stored on the machine. The cache persists even when the user logs off or the machine is turned off. That means anyone who can sign on to your PC with an administrator account can see all of your contacts and all of their data -- names, email addresses, pictures, telephone numbers, addresses -- whatever you have on file or whatever's been sucked in from Hotmail, Gmail, Facebook, Twitter, and LinkedIn.

I found out about the lingering contacts cache in a new white paper (PDF) from Amanda C.F. Thomson, a grad student at George Washington University in Washington, D.C. Her blog, appropriately entitled PropellerHeadForensics, digs deep into the contents of the AppData/Local and AppData/Roaming folders in Windows 8, a messy brew of intertwined hex files that contain all sorts of surprises.