Hackers could use Windows 10 themes to steal passwords

Hacker typing username and password

People like to be individuals, and in the computing arena one way to be a little different is to change the look of Windows by using themes. But a security researcher has warned of a technique that could be exploited by hackers to trick users into divulging their Windows login details when applying a theme.

Malicious theme packs can be used to execute a "pass-the-hash" attack which sends passwords to a remote server. The specially designed themes are easy to create, andthe way the credential stealing attack works will fool many people -- but there are protective measures that can be put in place.

See also:

Security researcher Jimmy Bayne explained that the text files used to configure theme packs could be exploited. Themes are made up of various components including background images, cursors, sound files and more, and they are all linked together by a .theme file. This file is essentially a plain text file that tell Windows where the various resources are in order to make use of the theme.

As reported by Bleeping Computer, this configuration file can be crafted so that Windows is told that rather than loading a locally stored image for the desktop background, it is instead told to look to a remote server. When Windows tries to load the theme, this causes the operating system to display a prompt asking for a user's login credentials. When these are supplied, the username and the NTLM hash of the password are forwarded on. Research shows that these hashes are very easily decrypted.

On Twitter, Bayne shared his findings in a series of tweets

To protect yourself against this type of attack, you could simply avoid using theme packs that comes from unknown sources, or exercise caution when presented with an unexpected login dialog. But as Bayne suggest, it is also a good idea to associate the .theme, .themepack and .desktopthemepackfile extension to a different application so they are not automatically executed if double clicked.

Image credit: frank_peters / Shutterstock

© 1998-2020 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.