Windows 10 themes can be used to steal user credentials

A new finding claims that custom Windows 10 themes can allow hackers to steal user credentials. According to the findings published by security researcher Jimmy Bayne (@bohops) (via Beeping Computer), custom themes can be used to perform Pass-the-Hash attacks on Windows 10 users.

He noted that custom user-created Windows 10 themes are stored under “%AppData%\Microsoft\Windows\Themes ” with “.theme” extension. These themes can then be shared using the “Save theme for sharing” setting that creates a “.deskthemepack” file which can be sent through email. Hackers can use this as a way to add a default wallpaper that points to a website requiring authentication. When a user types credentials, an NTLM hash and login name is sent for authentication which can be used by the hacker to dehash and access the credentials.

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4

— bohops (@bohops) September 5, 2020

Since Windows 10 uses a Microsoft account, it makes users more vulnerable to attacks. Moreover, it can also allow hackers to steal account credentials of other services like Azure, Office, and more that use Microsoft accounts for authentication.

From a defensive perspective, block/re-associate/hunt for “theme”, “themepack”, “desktopthemepackfile” extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating 4/4

— bohops (@bohops) September 5, 2020

Bayne said that he forwarded his findings Microsoft earlier this year but the company said it won’t fix the issue as it is a “feature by design.” Jimmy suggested that users can block or re-associate the .theme, .themepack, and .desktopthemepackfile extensions to a different program, thereby breaking the feature but that should be used as a last resort because users won’t be able to change Windows 10 themes.

This content was originally published here.

Call Now ButtonCALL US Scroll to Top