Security researcher: Windows 10 themes can be used to steal passwords

Windows 10 has a feature with themes to quickly change the appearance of several parts of the interface, such as desktop background, mouse pointer, Start menu, and fonts.

The system has some built-in themes, but users can also create new themes themselves and save these in a format that can be shared with others. Such a theme file is in fact a simple text file with instructions for which settings the system should use.

Security researcher Jimmy Bayne has discovered that these files can be used to steal your Windows password – which for most users is in fact the password for the Microsoft account – writes Bleeping Computer.

By entering a web address instead of an address on the hard disk as the desktop background, which in fact leads to a smb sharing, the user’s computer is tricked into automatically sending usernames and a hash code of the password to the hackers. If your password is simple, it can be calculated based on the hash code relatively quickly.

Bleeping Computer writes that one way to prevent the attack is to turn off outgoing NTLM traffic in the advanced network settings. However, it can make up for it for business users who use network sharing.

One way to protect yourself is to use an extremely secure password for your Microsoft account, over 20 randomly generated characters including numbers and special characters. Save it in a password manager and use Windows Hello or a PIN for faster login to your computer. Of course, you should also enable two-factor authentication.