This month security researcher demonstrated a credential harvesting trick that uses Windows theme files. Setting a Windows wallpaper location to a file present at a remote location, for example, a password-protected HTTP(s) page, instead of a locally present image, can be abused for phishing. bohops This happens because the password-protected website, using the , would naturally prompt the user for a password before the wallpaper can be accessed. HTTP Basic Access Authentication to that website, Those not familiar with HTTP Basic Authentication can use the link for a demo. W3's Jigsaw Head straight to in your web browser (username and password are both "guest"). https://jigsaw.w3.org/HTTP/Basic/ Now instead of a webpage, had a wallpaper or Windows theme lived there, and you provided this URL to Windows where a filename was expected, you'd be prompted for a username and password in an identical manner. to that website Actually, other software programs do the same thing. Try inserting a remote resource (image, for example, from a password-protected URL) in Word, and you'd be presented with a similar dialog box. Phishing attacks? Maybe... Yes, in some ways, this "intended feature" can be abused for phishing attacks: if a naïve user on seeing a native system dialog box enters Windows or Microsoft Account credentials as opposed to the website's. their However, I'd argue in that case the user really doesn't know what they are doing and need additional computer security training. Moreover, in all cases - whether you were setting a remote wallpaper, or inserting an image into your Word document, the name of the website requesting the password is clearly displayed. According to Microsoft stated they'd not be patching this bug as it was a "feature by design," but I'd argue why should they? What is a better way to allow HTTP Basic Authentication? bohops , Maybe disable the option of allowing remote resources from being inserted in some locations (such as wallpapers and themes) altogether? The only other way I can think that may help is, adding a warning to all such dialog boxes. For example, whenever a user tries to access an HTTP Basic Auth-protected resource, a system-initiated prompt requesting the password should make it very clear to the user that this is not a solicitation for their Windows credentials. After all, the chances of the (unknown) remote resource or wallpaper, and the user's Windows account sharing the same set of credentials are infinitesimally small. NTLM "Pass-the-hash" hack: more serious Further investigation conducted by Lawrence Abrams of [full disclosure: I occasionally write for them] though reveals an additional attack vector. BleepingComputer Instead of a URL requiring HTTP Basic Authentication what if the remote wallpaper used a different protocol? For example, what if the remote wallpaper/theme lived at a Samba (smb) share? When trying to access a remote Samba location (e.g. \\example.com\wallpapers\image.jpg), Windows would try to authenticate to the share by sharing the user's NTLM hashes in the background to the remote server. This is called " " authentication. automatically passing the hash Now, this is a problem... Simply by adding an attacker-provided wallpaper or a Windows theme file to your system would initiate a connection to the attacker's server and share your NTLM hashes without your knowledge or explicit consent. Although NTLM hashes are encrypted, it may not take that long for them to be cracked as history tells us. "In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password," writes Abrams. "In a test , dehashing an easy password took approximately 4 seconds to crack!" he continues. previously done by BleepingComputer Therefore, the short answer to the question, if Windows wallpapers can hijack your Microsoft Account credentials is, "yes, but it depends." Whereas the HTTP Basic Authentication may be easier to spot for seasoned users, the "pass-the-hash" authentication hack is more subtle and its automatic nature makes it difficult for the end-user to prevent credential harvesting attacks. A key point to note though, HTTP Basic Authentication transmits your credentials in plaintext over a network (unless the website requesting the password uses HTTPS), whereas NTLM "pass the hash" authentication would transmit your actual plaintext password, but a of it. not hash Still, the risk remains from "pass the hash," given the attacker would know your Windows username and potentially be able to guess or deduce your Windows password from the hash (if the password was weak). now Users should therefore refrain from using Windows wallpapers and theme files from untrusted sources. © 2020. . All Rights Reserved. Produced for Hacker Noon. Ax Sharma

Microsoft

My other blog: Security Report

Book a call

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Precious Tips To Protect Your Microsoft Account Password From Phishing

Too Long; Didn't Read

Company Mentioned

Ax Sharma

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Precious Tips To Protect Your Microsoft Account Password From Phishing

Too Long; Didn't Read

Company Mentioned

Ax Sharma

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES