Windows 10 UWP Bug Lets Hackers Access All Your Files

Windows 10 UWP Bug Lets Hackers Access All Your Files

Microsoft says apps published on the Microsoft Store, many of them UWP (Universal Windows Platform) apps, are the most secure choice as all of them are protected against malware and threats that typically target Win32 software.

One of the reasons UWP apps are recommended over their Win32 siblings is that they run in a sandbox, which means it’s theoretically impossible for malware to reach your data because this sandbox mode blocks access to the rest of the files.

Technically, Microsoft allows UWP apps running in a sandbox to access the rest of the files stored on the hard-drive with the broadFileSystemAccess API.

This is required because there are UWP apps that need to store files on the local drives, load documents, and other operations with data on the PC. The API implementation, however, includes a warning that is displayed when the apps require access to files, so users can block them if they think it could be malware.

Bug in UWP apps

But as it turns out, this warning is flawed and may be blocked from showing up, as revealed by Windows developer Sebastien Lachance. In an analysis of the bug, the developer explains that the prompt could be bypassed by hackers, obtaining access to the locally-stored data without letting users know about it.

Microsoft has already acknowledged the bug and, by the looks of it, the company fixed it in the Windows 10 October 2018 Update (version 1809). This is pretty good news, though it’s a bit worrying that a fix isn’t available on the previous Windows 10 builds.

At the same time, it’s worth knowing that users can’t yet install Windows 10 version 1809 because Microsoft suspended the rollout after discovering a critical bug leading to the removal of user files.

So while a fix is indeed ready, nobody can get it for the time being. Users are recommended to install version 1809 when it becomes available once again.