Windows 10 UWP bug could give malicious devs access to all your files

Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn’t telling users when apps requested permission to access all a user’s files.

The bug in the Windows ‘broadFileSystemAccess’ API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user’s documents, photos, downloads, and files stored in OneDrive.

The issue was spotted by .NET developer Sébastien Lachancewho built an enterprise app that was suddenly broken in the Windows 10 October 2018 Update, aka 1809, the version currently on hold as Microsoft finalizes testing its fix for the data-loss bug.

Normally UWP apps are restricted to certain folder locations, but developers can request access to other locations too, so long as the app is granted permission by the user.

As noted in Microsoft’s documentation, the broadFileSystemAccess API gives access to all files that a user has access to. Microsoft promoted the feature as a way for developers to make their UWP apps more user-friendly.

“This is a restricted capability. On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system,” Microsoft explains.

“If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it. This capability works for APIs in the Windows.Storage namespace.”

The problem is that until version 1809, users weren’t getting the permission prompt and the API could actually be used to access the full file system.

According to Lachance, the dialog is meant to be displayed to a user on the first use of the app, as per the documentation. Microsoft recognized this is a privacy issue and so set the broad access file system value to off.

If users are concerned that an app they’ve installed has gained wider access to files than preferred, users can limit that access in within Settings > Privacy > File.

Developers who previously used the API may also find their UWP apps now crash when users move to version 1809.
To read the original article:

https://www.zdnet.com/article/windows-10-uwp-bug-could-give-malicious-devs-access-to-all-your-files/

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *