Windows 10 users can customise their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials.
A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and password data via counterfeit login pages. This technique wouldn’t necessarily raise any red flags for an average person, as some legit Windows 10 themes have you sign in after installation.
This “Pass the Hash” attack doesn’t steal your password verbatim, but rather the password hash — a jumbled up and obfuscated version of your password’s data. Companies hash password data to keep it more secure when stored on remote servers, but hackers can unscramble passwords with readily available software. In some cases, passwords can be cracked in just a few seconds.
This vulnerability was discovered by cybersecurity researcher Jimmy Bayne, who publicly disclosed the findings in a Twitter thread.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
— bohops (@bohops) September 5, 2020
Bayne alerted Microsoft to the security risk, but the company says it has no plans to change the Theme feature since the credential passing is an intended feature; Hackers have simply found a way to use it maliciously.
With no official action being taken, it’s up to users to keep themselves safe from shady Windows 10 themes.
BleepingComputer and Bayne outline options for enterprise versions of Windows 10, but these won’t work for general users. The smartest move is to avoid custom themes entirely, but if you keep using them, make sure you’re only downloading official themes from secure sources like the Windows Store.
Whether you keep using custom themes or not, you should also update your accounts with unique passwords, turn on two-factor authentication, and use an encrypted password manager. I would also suggest unlinking third-party accounts from your Microsoft account and using local user accounts to sign in to your PC, rather than your Microsoft Account. Protective steps like these make it harder for outsiders to steal your data, even if they happen to snag a password.