A security researcher recently discovered a vulnerability in custom Windows 10’s themes settings that could allow hackers to steal account information from their victims.
For those unaware, a Windows theme is a collection of modifications to the interface which changes the way Windows looks and feels. A theme may alter the standard Windows icons, mouse cursor, sounds, and desktop background that the operating system will use.
Windows users can share their themes with other users via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and selecting “Save theme for sharing”. This will package the theme into a ‘.deskthemepack’ file for sharing via email or as downloads on websites, which can then be downloaded and installed.
Jimmy Bayne (@bohops) who found the loophole revealed that specially crafted Windows themes could be used to carry out a ‘Pass-the-Hash’ attack. The attacker could create a malicious theme file and redirect it to a page that prompts the user for credentials.
Pass-the-Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
— bohops (@bohops) September 5, 2020
Using this information, an attacker could create a specially crafted “.theme file” and change the default desktop wallpaper to a website that requires credentials. When the unsuspecting users use this theme file and enter their credentials, an NTLM hash is sent to the site for authentication. This can be cracked open using special de-hashing tools.
Bayne explained that users should be careful about downloading and installing theme packs that are mainly published on the Web by other users. In order to protect the system from malicious themes, the researcher suggests to block or re-associate the .theme, .themepack, and .desktopthemepackfile extensions to a different program.
Bayne reported these findings to Microsoft’s Security Response Center (MSRC). However, the bug was not fixed because it was a “feature by design”. It is unclear if the company has plans on fixing the issue in the future.
Since most users login into their Microsoft accounts in Windows 10 to access emails, OneDrive, and even Azure data, the theft of the credentials also put these at risk. As a primary measure of account security, it is always better to enable two-factor authentication for your Microsoft accounts to prevent remote access by attackers.