A security researcher recently discovered a vulnerability in custom Windows 10โs themes settings that could allow hackers to steal account information from their victims.
For those unaware, aย Windows themeย is a collection of modifications to the interface which changes the wayย Windowsย looks and feels. Aย themeย may alter the standardย Windowsย icons, mouse cursor, sounds, and desktop background that the operating system will use.
Windows users can share their themes with other users via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and selecting โSave theme for sharingโ. This will package the theme into a ‘.deskthemepack’ file for sharing via email or as downloads on websites, which can then be downloaded and installed.
Jimmy Bayneย (@bohops) who found the loophole revealed that specially crafted Windows themesย could be used to carry out a โPass-the-Hashโ attack. The attacker could create a malicious theme file and redirect it to a page that prompts the user for credentials.
Pass-the-Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlyingย NTLMย orย LanManย hashย of a user’s password, instead of requiring the associatedย plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
— bohops (@bohops) September 5, 2020
Using this information, an attacker could create a specially crafted โ.theme fileโ and change the default desktop wallpaper to a website that requires credentials. When the unsuspecting users use this theme file and enter their credentials, an NTLM hash is sent to the site for authentication. This can be cracked open using special de-hashing tools.
Bayne explained that users should be careful about downloading and installing theme packs that are mainly published on the Web by other users. In order to protect the system from malicious themes, the researcher suggests to block or re-associate the .theme, .themepack, and .desktopthemepackfile extensions to a different program.
Bayne reported these findings to Microsoft’s Security Response Center (MSRC). However, the bug was not fixed because it was a โfeature by designโ. It is unclear if the company has plans on fixing the issue in the future.
Since most users login into their Microsoft accounts in Windows 10 to access emails, OneDrive, and even Azure data, the theft of the credentials also put these at risk. As a primary measure of account security, it is always better to enable two-factor authentication for your Microsoft accounts to prevent remote access by attackers.