People like to be individuals, and in the computing arena, one way to be a little different is to change the look of Windows by using themes. But a security researcher has warned of a technique that could be exploited by hackers to trick users into divulging their Windows login details when applying a theme.

Malicious theme packs can be used to execute a "pass-the-hash" attack which sends passwords to a remote server. The specially designed themes are easy to create, and the way the credential-stealing attack works will fool many people -- but there are protective measures that can be put in place.

Security researcher Jimmy Bayne explained that the text files used to configure theme packs could be exploited. Themes are made up of various components including background images, cursors, sound files and more, and they are all linked together by a .theme file. This file is essentially a plain text file that tells Windows where the various resources are in order to make use of the theme.

As reported by Bleeping Computer, this configuration file can be crafted so that Windows is told that rather than loading a locally stored image for the desktop background, it is instead told to look to a remote server. When Windows tries to load the theme, this causes the operating system to display a prompt asking for a user's login credentials. When these are supplied, the username and the NTLM hash of the password are forwarded on. Research shows that these hashes are very easily decrypted.

On Twitter, Bayne shared his findings in a series of tweets

The wallpaper key is located under the "Control PanelDesktop" section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations 2/4

— bohops (@bohops) September 5, 2020

From a defensive perspective, block/re-associate/hunt for "theme", "themepack", "desktopthemepackfile" extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating 4/4 pic.twitter.com/xaEP1PeDN9

— bohops (@bohops) September 5, 2020

To protect yourself against this type of attack, you could simply avoid using theme packs that come from unknown sources, or exercise caution when presented with an unexpected login dialog. But as Bayne suggests, it is also a good idea to associate the .theme, .themepack and .desktopthemepackfile extension to a different application so they are not automatically executed if double-clicked.