Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

Windows 10’s theme settings are flawed and malicious actors can steal users’ credentials by creating specific topics to carry out “Pass-the-Hash” attacks, Bleeping Computer reported on Twitter, citing security researcher Jimmy Bayne. Specifically, theme features that are separate from other sources can be installed, allowing an attacker to create a malicious theme file that redirects the user to a page that requires their credentials when it is opened.

Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

It is reported that just right-click on the desktop, you can be directed to the “personalized – – theme” settings page. Users can then click “Save topics to share” to create a file called “.deskthemepack”.

Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

Custom themes created in this way can be shared, downloaded, and installed through channels such as e-mail. An attacker could also create a similar “.theme” theme file, but the default wallpaper settings could point to a Website that requires authentication.

Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

When careless users accidentally enter their credentials, the NTLM hash value containing the details is sent to the site for authentication, which allows an attacker to brute force a non-complex password with special inverse computing software.

Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

Users need to be alert to files such as .themepack and .desktopthemepackfile.

In response, Bleeping Computer came up with some restrictions through Group Policy to prevent NTLM hash credentials from being sent to remote hosts. It’s just that for enterprise users, doing so can interfere with normal authentication.

Security researchers have warned that Windows 10 custom themes could be used to steal user credentials.

Bayne added that it had disclosed the findings to the Microsoft Security Response Center (MSRC). Unfortunately, because this is a “design feature,” the bug has not been fixed.

It is not known whether the software giant will formally fix or adjust the structure of the subject file in the future to prevent bad use.