Changing your Windows theme seems innocent enough, and it’s nice to freshen things up occasionally. But you might want to be careful about what sources you use to get new themes. A security researcher has demonstrated a method to alter Windows 10 themes to steal your Microsoft password.
As spotted by Bleeping Computer, security researcher Jimmy Bayne (@bohops) demonstrates that the process isn’t even difficult. It takes advantage of multiple Windows behaviors to perform a “Pass-the-Hash” attack.
In a “Pass-the-Hash” attack, bad actors don’t worry about getting your plaintext password. They set up an attack that sends them your hashed password. Then they can send that for authentication to Microsoft (or whichever company the password is for), and since it matches correctly, it will work the same as using the plain text password.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
— bohops (@bohops) September 5, 2020
As Bayne explains, hackers can alter a Windows theme to force the OS to attempt to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share like this, it will automatically submit your profile credentials to log in.
Microsoft moved to online accounts with Windows 10, and it’s slowly pushing everyone to use them. If you already use your Microsoft account, that means your Microsoft username and hashed password get passed to the hacker.
Once the hacker makes the change to a theme, they can save it and upload it to websites that host Windows themes. You won’t know what hit you until it’s too late. Bayne reported the problem to Microsoft, but the company decline to create a fix as it’s a “feature by design.”
Bayne proposed a few solutions, but they involve breaking the theme component for Windows.
Once you do it, you can’t change themes (until you undo the change). The safest thing you can do is turn on two-step authentication. If someone steals your password, they still won’t have everything they need to get into your account.
Source: Jimmy Bayne via Bleeping Computer