Windows 10 UWP bug could give malicious devs access to all your files


Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn’t telling users when apps requested permission to access all a user’s files.

The bug in the Windows ‘broadFileSystemAccess’ API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user’s documents, photos, downloads, and files stored in OneDrive.

The issue was spotted by .NET developer Sébastien Lachance who built an enterprise app that was suddenly broken in the Windows 10 October 2018 Update, aka 1809, the version currently on hold as Microsoft finalizes testing its fix for the data-loss bug.

Normally UWP apps are restricted to certain folder locations, but developers can request access to other locations too, so long as the app is granted permission by the user.

Read more…