<p>Security researcher Jimmy Bayne discovered a new Windows 10 vulnerability in the operating system&#8217;s themes engine that can be used to steal users&#8217; credentials.</p>
<p><img class="alignnone size-full wp-image-2929" src="https://www.wincert.net/wp-content/uploads/2019/01/theme2_accent.jpg" alt="" width="844" height="480" /></p>
<blockquote class="twitter-tweet" data-width="500" data-dnt="true">
<p lang="en" dir="ltr">[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 <a href="https://t.co/rgR3a9KP6Q">pic.twitter.com/rgR3a9KP6Q</a></p>
<p>&mdash; bohops (@bohops) <a href="https://twitter.com/bohops/status/1302264069311926274?ref_src=twsrc%5Etfw">September 5, 2020</a></p></blockquote>
<p><script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script></p>
<p>Windows 10 allows you to create and share themes by navigating to <strong>Settings | Personalization | Themes</strong> and then selecting the <em><strong>Save theme for sharing option</strong></em>. This action will create a new file with <strong>*deskthemepack</strong> extension that can be shared with other Windows 10 users.</p>
<p>Attackers have found a way to exploit this vulnerability by creating a malicious theme that asks for user credentials once opened. When users types their credentials an NTLM hash is sent to a malicious web site. Furthermore, an attacker can then use de-hashing software to crack non-complex passwords.</p>
<p>To avoid being hacked, we advise you to download only themes from trusted sources like <a href="https://www.microsoft.com/en-us/store/collections/windowsthemes" target="_blank" rel="noopener noreferrer">Microsoft Store</a>.</p>