Can a Windows wallpaper really hijack your Microsoft account password?

This month security researcher bohops demonstrated a credential harvesting trick that uses Windows theme files. Setting a Windows wallpaper location to a file present at a remote location, for example, a password-protected HTTP(s) page, instead of a locally present image, can be abused for phishing.

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q

— bohops (@bohops) September 5, 2020

This happens because the password-protected website, using the HTTP Basic Access Authentication, would naturally prompt the user for a password to that website, before the wallpaper can be accessed.

Those not familiar with HTTP Basic Authentication can use the W3’s Jigsaw link for a demo.

Head straight to https://jigsaw.w3.org/HTTP/Basic/ in your web browser (username and password are both “guest”).

Now instead of a webpage, had a wallpaper or Windows theme lived there, and you provided this URL to Windows where a filename was expected, you’d be prompted for a username and password to that website in an identical manner.

Actually, other software programs do the same thing. Try inserting a remote resource (image, for example, from a password-protected URL) in Word, and you’d be presented with a similar dialog box.

Phishing attacks? Maybe…

Yes, in some ways, this “intended feature” can be abused for phishing attacks: if a naïve user on seeing a native system dialog box enters their Windows or Microsoft Account credentials as opposed to the website’s.

However, I’d argue in that case the user really doesn’t know what they are doing and need additional computer security training.

Moreover, in all cases – whether you were setting a remote wallpaper, or inserting an image into your Word document, the name of the website requesting the password is clearly displayed.

According to bohops, Microsoft stated they’d not be patching this bug as it was a “feature by design,” but I’d argue why should they? What is a better way to allow HTTP Basic Authentication?

Maybe disable the option of allowing remote resources from being inserted in some locations (such as wallpapers and themes) altogether?

The only other way I can think that may help is, adding a warning to all such dialog boxes.

For example, whenever a user tries to access an HTTP Basic Auth-protected resource, a system-initiated prompt requesting the password should make it very clear to the user that this is not a solicitation for their Windows credentials.

After all, the chances of the (unknown) remote resource or wallpaper, and the user’s Windows account sharing the same set of credentials are infinitesimally small.

NTLM “Pass-the-hash” hack: more serious

Further investigation conducted by Lawrence Abrams of BleepingComputer [full disclosure: I occasionally write for them] though reveals an additional attack vector.

Instead of a URL requiring HTTP Basic Authentication what if the remote wallpaper used a different protocol? For example, what if the remote wallpaper/theme lived at a Samba (smb) share?

When trying to access a remote Samba location (e.g. \\example.com\wallpapers\image.jpg), Windows would automatically try to authenticate to the share by sharing the user’s NTLM hashes in the background to the remote server. This is called “passing the hash” authentication.

Now, this is a problem… Simply by adding an attacker-provided wallpaper or a Windows theme file to your system would initiate a connection to the attacker’s server and share your NTLM hashes without your knowledge or explicit consent.

Although NTLM hashes are encrypted, it may not take that long for them to be cracked as history tells us.

“In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors’ login name and password,” writes Abrams.

“In a test previously done by BleepingComputer, dehashing an easy password took approximately 4 seconds to crack!” he continues.

Therefore, the short answer to the question, if Windows wallpapers can hijack your Microsoft Account credentials is, “yes, but it depends.”

Whereas the HTTP Basic Authentication may be easier to spot for seasoned users, the “pass-the-hash” authentication hack is more subtle and its automatic nature makes it difficult for the end-user to prevent credential harvesting attacks.

A key point to note though, HTTP Basic Authentication transmits your credentials in plaintext over a network (unless the website requesting the password uses HTTPS), whereas NTLM “pass the hash” authentication would not transmit your actual plaintext password, but a hash of it.

Still, the risk remains from “pass the hash,” given the attacker would now know your Windows username and potentially be able to guess or deduce your Windows password from the hash (if the password was weak).

Users should therefore refrain from using Windows wallpapers and theme files from untrusted sources.

About the author