Win10 UWP Bug Lets Hackers Access Your Files without Permission

Windows 10 UWP Bug Could Let Hackers Steal Your Data without Permission

UWP Apps

In Windows 10, Microsoft introduces a platform, Universal Windows Platform (UWP), allowing apps to run on any device running Windows 10, such as desktop, Surface Hub, Xbox, IoT, etc.

By default, Windows 10 UWP apps have access to files and folders located in the installation directory and the directory where the app can store data including AppData\Local, AppData\Roaming, and the Temp folder.

However, to access other files outsides of these locations, developers can declare extra permission for an app by adding them to app’s package manifest file. Then, UWP apps are able to access files like pictures, documents, music, and pictures.

The following is an example about how permission to the user’s pictures library is given to an app:

<Capabilities>

<uap:Capability Name=”videosLibrary”/>

</Capabilities>

Then, you can see the permission in an app’s description in the Microsoft Store.

However, there is one permission called broadFileSystemAccess that developers can allow an app to access the entire file system. And you can see this permission is given to Microsoft Sticky Notes in the app’s package manifest below.

Windows UWP Bug: broadFileSystemAccess Permission to All Files

According to Microsoft developer documentation, broadFileSystemAccess permission allows users to access documents, photos, downloads, pictures, desktop, OneDrive, etc.

Microsoft says this is a restricted capability. When first launching an app, a user-consent prompt appears, asking you to allow this permission to the app.

If you submit an app to Microsoft Store that declares this capability, the additional descriptions of why your app needs this capability and how it intends to use it should be offered. And the access is configurable in Settings > Privacy > File system.

In other words, if developers add this permission, Windows 10 can show a settings screen on the first use of an app and you can enable this permission.

Windows app developer Sébastien Lachance says a bug in Windows 10 makes the Settings screen fail to display prompts for permission to access the file system. What’s worse, the requirement to first enable file system access in Settings isn’t enforced before Windows 10 version 1809.

Namely, the apps can be used to access the entire file system without the user’s explicit permission for their apps when using broadFileSystemAccess permission. This apparently leaves sensitive data exposed to apps downloaded from Windows Store.

How to Avoid Crashes When Apps Use broadFileSystemAccess Permission

Lechance finds this bug when using an app utilizing the broadFileSystemAccess permission to access data in “C:\myAppData” location. After he installs Windows 10 October 2018 Update, the app suddenly crashes on startup. This is because Microsoft set the value of broad access file system to OFF in build 1809.

To avoid crashes, Lechance suggests that Windows 10 UWP apps developers include a simple line of code in the affected programs if the app needs new access permission to folders outside the app’s normally allowed folders. The command is:

await Windows.System.Launcher.LaunchUriAsync(new Uri(“ms-settings:privacy-broadfilesystemaccess”));

Fortunately, developers use the broadFileSystemAccess permission and publish apps to Store should tell why the permission is needed. From there, it is expected that Microsoft would offer greater scrutiny when reviewing applications to determine whether any malicious activity exists.

Now, the information about Windows 10 UWP bug is told to you.