Windows 10 Bug Allowed UWP Apps Full Access to File System

Windows

A bug in Windows 10 allowed UWP apps (Universal Windows Platform) to have access to the entire file system in Windows without permission from the user. This could have allowed a malicious app to access any data stored on the computer without the knowledge or consent of the user.

By default, UWP apps can only access files and folders located in the app’s installation directory and its data storage locations in AppDataLocal, AppDataRoaming, and the Temp folder. If an app needs to access files outsides of these locations, they can display a file/folder picker that can be used to select a file or the developer can declare extra permission for the App.

Extra permissions can be declared by adding them to app’s package manifest file, which can enable access to folders such as Documents, Music, Pictures, etc. You can see an example below of how permission to the user’s Pictures library is given to an app.

<Capabilities>
  <uap:Capability Name="videosLibrary"/>
</Capabilities>

These permissions are then shown in the description of an app in the Microsoft Store.

Permission to access the Pictures Library
Permission to access the Pictures Library

There is one permission, that a developer can give their app that gives their app access to the entire file system. This permission is called broadFileSystemAccess, which you can see being given to Microsoft Sticky Notes in the app’s package manifest below.

According to the developer documentation for the broadFileSystemAccess permission, it provides access to “All files that the user has access to. For example: documents, pictures, photos, downloads, desktop, OneDrive, etc.”

“This is a restricted capability. On first use, the system will prompt the user to allow access,” continues the Microsoft developer documentation. “Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.”

What this means is that if a developer adds this permission, on the first use of an app with this permission, Windows 10 is supposed to show a settings screen where you can enable this permission. This settings page can be found at Settings -> Privacy -> File System as shown below.

Privacy File System Settings Screen
Privacy File System Settings Screen

According to Windows app developer Sébastien Lachance, a bug in Windows 10 made it so that the Settings screen above was not displayed. To make matters worse, before Build 1809 (October 2018 Update), the requirement to first enable file system access in the Settings screen was not enforced. This meant that users did not need to give explicit permission for their apps to have full file system access when the broadFileSystemAccess permission was used.

“After I installed the October 2018 Update, I realized that my app was crashing at startup. I found out that accessing my file above was crashing the app. I thought that the manifest was altered, but no. I contacted my friends at Microsoft and they confirmed me two important info:

1- The Windows dialog that is supposed to be shown the first time a file is accessed does not trigger is a *bug*.
2- Because it is a privacy issue, Microsoft decided with the October 2018 Update to set to OFF the value of the broad access file system.”

Lechance discovered this bug after creating an app that utilized the broadFileSystemAccess permission in order to access data in a hard coded “C:myAppData” location. After upgrading to the October 2018 Update, his app suddenly started crashing on startup.

This is because in Build 1809 Microsoft had started to enforce the requirement that users give permission using the Settings page before the broadFileSystemAccess permissions are allowed. Unfortunately, the October 2018 Update has been pulled as Microsoft fixes critical bugs that were discovered after it was initially released.

In order to avoid crashes that will occur when this permission is properly enforced, Lechance suggests UWP app developers trigger the  following command when the app needs to access folders outside the application’s normally allowed folders.

await Windows.System.Launcher.LaunchUriAsync(new Uri(“ms-settings:privacy-broadfilesystemaccess”));

It is important to note that developers who use the broadFileSystemAccess and publish their app to the Microsoft store are supposed to provide information as to why this permission is required. From there, it would be expected that Microsoft would provide greater scrutiny when reviewing the app to determine if there was any malicious activity.

Unfortunately, as shown by a recent Ad Clicker Trojan in the Microsoft Store that pretended to be a Google Photos app from Google. Microsoft may not be performing a thorough review of submitted apps. 

Bleeping Computer has contacted Microsoft for confirmation, but had not heard back at the time of this publication.