Windows 10 custom themes can be used to steal user credentials
Security researcher Jimmy Bayne discovered a new Windows 10 vulnerability in the operating system’s themes engine that can be used to steal users’ credentials.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q
— bohops (@bohops) September 5, 2020
Windows 10 allows you to create and share themes by navigating to Settings | Personalization | Themes and then selecting the Save theme for sharing option. This action will create a new file with *deskthemepack extension that can be shared with other Windows 10 users.
Attackers have found a way to exploit this vulnerability by creating a malicious theme that asks for user credentials once opened. When users types their credentials an NTLM hash is sent to a malicious web site. Furthermore, an attacker can then use de-hashing software to crack non-complex passwords.
To avoid being hacked, we advise you to download only themes from trusted sources like Microsoft Store.