Hacked Windows 10 Themes Could Swipe Your Microsoft Login
Windows 10 users can customize their desktops with unique themes, and can create and share these themes with others. Hackers can also use them to steal your credentials.
A flaw in the theme creation feature in Windows 10 allows hackers to modify custom themes, which, once installed, force users to submit their Microsoft account name and password via fake login pages. This method will not necessarily trigger any red flags for the average person, as some legitimate Windows 10 themes require you to log in after installation.
This Pass Hash attack does not steal your password verbatim, but rather the password hash — a messy and obfuscated version of your password data. Companies hash password data to keep it secure when stored on remote servers, but hackers can decrypt passwords using readily available software. In some cases, passwords can be cracked in just a few seconds.
This vulnerability was discovered by cybersecurity researcher Jimmy Bane, who publicly posted the results on his Twitter thread.
Bane warned Microsoft about the security threat, but the company says it has no plans to change the theme’s functionality as credential transfer is an intended function; The hackers just found a way to exploit it maliciously.
Since no official action is being taken, users must secure themselves against Windows 10 shadow themes.
BleepingComputer and Bane are contouring options for corporate versions of Windows 10, but that won’t work for casual users. The smartest move is to avoid custom themes entirely, but if you continue to use them, make sure you only download official themes from secure sources like the Windows Store.
Whether you continue to use your own themes or not, you should also update your accounts with unique passwords , enable two-factor authentication, and use an encrypted password manager . I also suggest unlinking third-party accounts from your Microsoft account and using local user accounts to sign in to your computer rather than your Microsoft account. These security measures make it difficult for outsiders to steal your data, even if they accidentally catch your password.