Hackers could use Windows 10 themes to steal passwords
People like to be individuals, and in the computing arena one way to be a little different is to change the look of Windows by using themes. But a security researcher has warned of a technique that could be exploited by hackers to trick users into divulging their Windows login details when applying a theme.
Malicious theme packs can be used to execute a "pass-the-hash" attack which sends passwords to a remote server. The specially designed themes are easy to create, andthe way the credential stealing attack works will fool many people -- but there are protective measures that can be put in place.
See also:
- If you don't want to be Microsoft's guinea pig, pause Windows Updates
- Microsoft releases KB4497165 and KB4558130 microcode updates for Windows 10 to fix Intel security flaws
- Microsoft releases KB4571744 update to fix lots of Windows 10 problems
Security researcher Jimmy Bayne explained that the text files used to configure theme packs could be exploited. Themes are made up of various components including background images, cursors, sound files and more, and they are all linked together by a .theme file. This file is essentially a plain text file that tell Windows where the various resources are in order to make use of the theme.
As reported by Bleeping Computer, this configuration file can be crafted so that Windows is told that rather than loading a locally stored image for the desktop background, it is instead told to look to a remote server. When Windows tries to load the theme, this causes the operating system to display a prompt asking for a user's login credentials. When these are supplied, the username and the NTLM hash of the password are forwarded on. Research shows that these hashes are very easily decrypted.
On Twitter, Bayne shared his findings in a series of tweets
The wallpaper key is located under the "Control PanelDesktop" section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations 2/4
— bohops (@bohops) September 5, 2020
From a defensive perspective, block/re-associate/hunt for "theme", "themepack", "desktopthemepackfile" extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating 4/4 pic.twitter.com/xaEP1PeDN9
— bohops (@bohops) September 5, 2020
To protect yourself against this type of attack, you could simply avoid using theme packs that comes from unknown sources, or exercise caution when presented with an unexpected login dialog. But as Bayne suggest, it is also a good idea to associate the .theme, .themepack and .desktopthemepackfile extension to a different application so they are not automatically executed if double clicked.
Image credit: frank_peters / Shutterstock