Hackers Can Use Altered Windows 10 Themes to Steal Your Microsoft Password

A shadow profile of a padlock held over the Microsoft logo
Alberto Garcia Guillen/Shutterstock

Changing your Windows theme seems innocent enough, and it’s nice to freshen things up occasionally. But you might want to be careful about what sources you use to get new themes. A security researcher has demonstrated a method to alter Windows 10 themes to steal your Microsoft password.

As spotted by Bleeping Computer, security researcher Jimmy Bayne (@bohops) demonstrates that the process isn’t even difficult. It takes advantage of multiple Windows behaviors to perform a “Pass-the-Hash” attack.

In a “Pass-the-Hash” attack, bad actors don’t worry about getting your plaintext password. They set up an attack that sends them your hashed password. Then they can send that for authentication to Microsoft (or whichever company the password is for), and since it matches correctly, it will work the same as using the plain text password.

As Bayne explains, hackers can alter a Windows theme to force the OS to attempt to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share like this, it will automatically submit your profile credentials to log in.

Microsoft moved to online accounts with Windows 10, and it’s slowly pushing everyone to use them. If you already use your Microsoft account, that means your Microsoft username and hashed password get passed to the hacker.

Once the hacker makes the change to a theme, they can save it and upload it to websites that host Windows themes. You won’t know what hit you until it’s too late. Bayne reported the problem to Microsoft, but the company decline to create a fix as it’s a “feature by design.”
Bayne proposed a few solutions, but they involve breaking the theme component for Windows.

Once you do it, you can’t change themes (until you undo the change). The safest thing you can do is turn on two-step authentication. If someone steals your password, they still won’t have everything they need to get into your account.

Source: Jimmy Bayne via Bleeping Computer

Josh Hendrickson Josh Hendrickson
Josh Hendrickson has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smarthome enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »

The above article may contain affiliate links, which help support Review Geek.