Windows 10 users can customize their desktops with unique themes, and are able to create and share those themes with others. Hackers can also use them to steal your credentials.
A flaw in Windows 10’s theme-creation feature lets hackers modify custom themes that, once installed, trick users into passing over their Microsoft account name and password data via counterfeit login pages. This technique wouldn’t necessarily raise any red flags for an average person, as some legit Windows 10 themes have you sign in after installation.
This “Pass the Hash” attack doesn’t steal your password verbatim, but rather the password hash—a jumbled up and obfuscated version of your password’s data. Companies hash password data to keep it more secure when stored on remote servers, but hackers can unscramble passwords with readily available software. In some cases, passwords can be cracked in just a few seconds.
This vulnerability was discovered by cybersecurity researcher Jimmy Bayne, who publicly disclosed the findings in a Twitter thread.
This Tweet is currently unavailable. It might be loading or has been removed.
Bayne alerted Microsoft to the security risk, but the company says it has no plans to change the Theme feature since the credential passing is an intended feature; Hackers have simply found a way to use it maliciously.
With no official action being taken, it’s up to users to keep themselves safe from shady Windows 10 themes.
BleepingComputer and Bayne outline options for enterprise versions of Windows 10, but these won’t work for general users. The smartest move is to avoid custom themes entirely, but if you keep using them, make sure you’re only downloading official themes from secure sources like the Windows Store.
Whether you keep using custom themes or not, you should also update your accounts with unique passwords, turn on two-factor authentication, and use an encrypted password manager. I would also suggest unlinking third-party accounts from your Microsoft account and using local user accounts to sign in to your PC, rather than your Microsoft Account. Protective steps like these make it harder for outsiders to steal your data, even if they happen to snag a password.
You wouldn’t catch me at an Apple retail store unless smoke was pouring out of my Mac. And even in the best of pandemic times, waiting at the Genius B
Like Jaqen H’ghar, the Apple Watch has many faces. And while it’s easy to manually swipe through all the different options, there’s no need to do so:
HBO Max is a pretty sweet streaming service, rolling up shows and movies from HBO, Cartoon Network, Adult Swim, and Turner Classic Movies with tons of
Last week, during an investor conference call masquerading as entertaining content (or vice versa) Disney announced an exhausting number of new Disney
The Google Maps app now has a split-screen street view option on Android. Turning it on lets you use Street View and the map simultaneously, which mak
It’s possible you have a few photos on your iPhone or iPad that you’d rather not stumble upon—or have anyone else stumble upon, such as a picture of y
Not all photos or videos need to (or should) last forever in your camera roll. If you want to send photos that will be opened once and then disappear
You never know when you’re going to need to record something on your phone. Maybe there’s a rat in the subway bringing its slice home for dinner; mayb
We are a comprehensive and trusted information platform dedicated to delivering high-quality content across a wide range of topics, including society, technology, business, health, culture, and entertainment.
From breaking news to in-depth reports, we adhere to the principles of accuracy and diverse perspectives, helping readers find clarity and reliability in today’s fast-paced information landscape.
Our goal is to be a dependable source of knowledge for every reader—making information not only accessible but truly trustworthy. Looking ahead, we will continue to enhance our content and services, connecting the world and delivering value.
