Windows 10 themes could put your PC at risk

(Image credit: Shutterstock)

Windows 10 custom themes can be abused to potentially steal passwords it has emerged, in the latest security scare to hit Microsoft’s desktop OS.

As you’re probably aware, Windows 10 users can download a range of custom themes to personalize their desktop environment, with these themes being designed to be easy to share.

It’s a nice touch to be able to have convenient access to such themes to customize your operating system, but the problem here is that a security researcher, Jimmy Bayne, has discovered how themes can be used as a carrier for a so-called ‘Pass-the-Hash’ attack (as spotted by Bleeping Computer).

Bayne notes that a specially modified Windows theme can have a wallpaper key configured to point to a web resource that triggers an authorization prompt, allowing login credentials to be stolen (the login to your Microsoft account, unless you use a local login for Windows).

This is because Windows automatically attempts to log in to the remote resource and sends the username plus the NTLM hash of the password of the logged-in account (hence the Pass-the-Hash name). Of course, the attackers then have to crack the hashed password, but that might not be all that difficult, depending on the strength of the password (and as we all know, poor passwords are all too often used).

Working as designed?

Bayne fully details the problem, and potential countermeasures, in a collection of tweets as follows:

See more
See more

As you can see above, Bayne explains that this possible attack vector has already been pointed out to Microsoft earlier this year, but the software giant said this is apparently working as designed, so not considered a vulnerability.

Further note that the prevention tactic discussed in the final tweet will effectively break Windows 10 themes, so you won’t be able to change from your existing one, but for now, that may be preferable to running any risks.

Jake Moore, cybersecurity specialist at ESET, commented: “These themes are clearly not created with security in mind, and given the risk of exposing passwords and other sensitive information, users must think twice before installing them.

“It is highly recommended to use two-factor authentication for as many services that offer it; with more users forced to move away from local Microsoft accounts, this comes with the added risk of remote attacks and the potential of attacking further services such as email.”

Using two-factor authentication for your Microsoft account is a good idea anyway, but this news might hurry you along to set that up, if you haven’t already.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).