قالب وردپرس درنا توس
Home / Tips and Tricks / Hackers Can Use Altered Windows 10 Themes To Steal Your Microsoft Password – Review Geek

Hackers Can Use Altered Windows 10 Themes To Steal Your Microsoft Password – Review Geek



A shadow profile of a padlock over the Microsoft logo
Alberto Garcia Guillen / Shutterstock

Changing your Windows theme seems innocent enough, and it̵

7;s nice to freshen things up occasionally. However, you should be careful about what sources you use to get new topics. A security researcher demonstrated a method of changing Windows 10 themes to steal your Microsoft password.

As Bleeping Computer notes, security researcher Jimmy Bayne (@bohops) shows that the process isn’t even difficult. It takes advantage of several Windows behaviors to perform a “pass-the-hash” attack.

In a pass-the-hash attack, bad actors don’t worry about getting your clear text password. They set up an attack that sends them your hashed password. Then they can send that to Microsoft (or the company that the password is for) for authentication. Since it matches correctly, it works the same as using the plain text password.

As Bayne explains, hackers can modify a Windows design to force the operating system to connect to a remote SMB share that requires authentication. When Windows connects to a remote SMB share like this one, your profile credentials are automatically sent to log in.

Microsoft moved to online accounts with Windows 10 and is slowly pushing everyone to use them. If you’re already using your Microsoft account, it means that your Microsoft username and hash password will be passed to the hacker.

Once the hacker makes the change to a theme, they can save it and upload it to websites that host Windows themes. You won’t know what hit you until it’s too late. Bayne reported the problem to Microsoft, but the company declined to create an update because it was a “feature by design” issue.
Bayne suggested a few solutions, but they broke the Windows thematic component.

Once you’ve done this, you won’t be able to change any themes (until you undo the change). It is safest to enable two-step authentication. If someone steals your password, they still don’t have everything they need to get into your account.

Source: Jimmy Bayne via Bleeping Computer




Source link