Windows 10 UWP bug could give malicious devs access to all your files

Developer finds a Universal Windows Platform privacy bug after Windows 10 1809 breaks his app.
Written by Liam Tung, Contributing Writer

Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn't telling users when apps requested permission to access all a user's files.

The bug in the Windows 'broadFileSystemAccess' API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user's documents, photos, downloads, and files stored in OneDrive.

The issue was spotted by .NET developer Sébastien Lachance who built an enterprise app that was suddenly broken in the Windows 10 October 2018 Update, aka 1809, the version currently on hold as Microsoft finalizes testing its fix for the data-loss bug.

Normally UWP apps are restricted to certain folder locations, but developers can request access to other locations too, so long as the app is granted permission by the user.

As noted in Microsoft's documentation, the broadFileSystemAccess API gives access to all files that a user has access to. Microsoft promoted the feature as a way for developers to make their UWP apps more user-friendly.

"This is a restricted capability. On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system," Microsoft explains.

"If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it. This capability works for APIs in the Windows.Storage namespace."

SEE: 10 ways to raise your users' cybersecurity IQ (free PDF)

The problem is that until version 1809, users weren't getting the permission prompt and the API could actually be used to access the full file system.

According to Lachance, the dialog is meant to be displayed to a user on the first use of the app, as per the documentation. Microsoft recognized this is a privacy issue and so set the broad access file system value to off.

If users are concerned that an app they've installed has gained wider access to files than preferred, users can limit that access in within Settings > Privacy > File.

Developers who previously used the API may also find their UWP apps now crash when users move to version 1809.

Previous and related coverage

Windows 10 1809 ZIP copy fail: Microsoft reveals workaround, patch due November

Microsoft offers a workaround for a bug that causes the silent failure of copying from ZIP folders to regular folders.

New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft missed it

A Feedback Hub user reported the latest Windows 10 October 2018 Update bug three months ago. Microsoft has fixed the issue in preview builds of the 19H1 version of Windows 10, so it should be fixed in 1809 soon.

Windows 10 October update's new public rollout nears as Microsoft fixes more bugs

Microsoft finds and fixes more glitches in Windows 10 October 2018 Update.

Windows 10 audio problems? Intel issued buggy driver but we fixed it, says Microsoft

Intel accidentally pushed an incompatible audio driver to Windows 10 devices through Windows Update.

More Windows 10 October update woes? HP users report BSOD after Tuesday patch

Admins struggle with the latest Windows 10 1809 patch on some HP systems.

Windows 10 1809 bungle: We won't miss early problem reports again, says Microsoft

Microsoft makes changes to its Feedback Hub after failing to notice early reports flagging up data losses caused by the Windows 10 October 2108 Update.

Microsoft halts rollout of Windows 10 October 2018 Update: What happens next?

Only days after releasing its latest feature update to Windows 10, Microsoft abruptly stopped the rollout and pulled the new version from its download servers as it investigates "isolated reports" of a data-destroying bug. What should you do now?

Windows 10 October update delete your files? This tool might recover them

No word yet from Microsoft about Windows 10 October 2018 Update deleting user files -- but it's a problem Windows Insiders have encountered before.

Windows 10 October update problems: Wiped docs, plus Intel driver warning

Back up files before upgrading to Windows 10 1809, and if you get a warning about Intel drivers, do not proceed.

Microsoft begins rolling out Windows 10 October 2018 Update

Microsoft is starting to roll out the Windows 10 October 2018 Update today, starting with Insiders and those ready to proactively grab the new bits.

Windows 10 October 2018 Update: 5 new features business users will love TechRepublic

Windows 10 is getting a big update in its next release. Here are some of the enterprise-centered features to expect in the Windows 10 October 2018 Update.

Surface Pro 6, Surface Laptop 2, Surface Studio 2 and Surface Headphones: Everything Microsoft just announced CNET

Plus: Windows 10 October 2018 Update is now available.

Editorial standards