Windows 10 desktop themes can steal your passwords: What to do [updated]

Windows 10 desktop themes can steal your passwords
(Image credit: Microsoft)

UPDATED with comment from Microsoft.

If you like to customize your Windows 10 desktops with third-party themes, be very very careful: These themes can steal the password to your Microsoft account, and there doesn't seem to be any fix coming.

This information comes to us from Twitter user "Bohops," aka security researcher Jimmy Bayne, via Bleeping Computer. Bayne discovered that Windows 10 .theme files can be set to automatically download images from the internet. 

This would be harmless, except for one thing: In order to download the image, the theme file will ask for your Windows account username and password -- the same credentials you use to sign into the machine.

Both credentials will be sent to the server hosting the image. The username will be in plaintext and the password will be sent as an NTLM hash, the output of a password-encryption algorithm used by Microsoft.

Here's the problem with NTLM hashes: They're damn easy to "crack" using any of a half-dozen free password-cracking programs. If someone -- say someone running a server hosting third-party desktop-theme images -- gets an NTLM hash of your Windows account password, then that someone can decode your password in a matter of seconds.

This is bad enough if you have remote-desktop access set up on your PC, as the attacker can use your Windows username and password to log on as you. Fortunately, remote-desktop access is not built into Windows 10 Home and not enabled by default in Windows 10 Pro or Enterprise.

From bad to worse

Things get much worse if you use your Microsoft account credentials to log into your computer, which unfortunately is exactly what Microsoft now forces you to do when you're setting a new PC. 

While stolen Windows account credentials just give the attacker access to your local machine, Microsoft account credentials give the attacker access to your Xbox Live, Office 365, OneDrive, Outlook.com and other Microsoft-related service accounts. 

This situation is not likely to be resolved anytime soon. Sending NTLM hashes to random servers has been a feature of Windows for two decades. Microsoft's insistence that anyone setting up a new PC use Microsoft-account credentials is more recent, but no less pervasive.

Bayne said in his Twitter thread that he had reported this situation to Microsoft, but was told that it would not be fixed because it was a "feature by design."

Tom's Guide has reached out to Microsoft for comment, and we will update this story when we receive a reply.

How to protect yourself

You'll just have to take these steps to protect yourself:

Don't download third-party desktop themes

Don't download third-party desktop themes from random websites, or accept any that someone sends you via email. Get them only from the Microsoft Store. 

Set up two-factor authentication for your Microsoft account

Here's how to set up two-factor authentication. Doing this will make it much harder for an attacker to log into your Microsoft account, even with your password.

Create a second Windows account with a local-only set of credentials

Use this new account for your daily computing needs. This will make sure the login process won't access your Microsoft account. We have instructions here.

To be even safer, make sure this second Windows account has only limited privileges. If so, then it won't be able to install, delete or modify most programs, but then neither will anyone who steals the credentials or any malware that you download by accident.

Make sure remote-desktop settings are turned off

Type "remote settings" into the Cortana search box at the bottom left of your screen and select Remote Desktop Settings. 

You might see a message that your edition doesn't support remote desktop, in which case you're all set. Otherwise, locate the Enable Remote Desktop switch and make sure it's toggled off.

Optional: Edit your Windows Registry to block NTLM hashes from being sent to remote servers

Bleeping Computer advises this step, but we think it's something that should be attempted only by very technically proficient users. If you're up for the task -- and be forewarned that messing with the Registry can create serious risks -- then instructions are here.

Update: Microsoft responds

Responding to our request for comment, Microsoft provided this statement, in full:

"Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible. We urge security researchers to practice coordinated vulnerability disclosure to reduce the potential risk to customers."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.