There’s a bug in the UWP API that lets appropriately programmed apps look at all of your data. Gรผnter Born says: (The malicious UWP) app is not limite
[See the full post at: Newly discovered data access breach in Win10 UWP (Metro, “Store”) apps]
![]() |
There are isolated problems with current patches, but they are well-known and documented on this site. |
SIGN IN | Not a member? | REGISTER | PLUS MEMBERSHIP |
-
Newly discovered data access breach in Win10 UWP (Metro, “Store”) apps
Home » Forums » Newsletter and Homepage topics » Newly discovered data access breach in Win10 UWP (Metro, “Store”) apps
- This topic has 17 replies, 11 voices, and was last updated 6 years, 4 months ago.
Tags: broadFileSystemAccess
AuthorTopicViewing 5 reply threadsAuthorReplies-
WildBill
AskWoody PlusOctober 27, 2018 at 3:03 pm #227597Well, that tears it. Even if Microsoft fixes the bug, I’ll never move to Win10 whatever. Neither Home nor Pro! Yes, I know it will be fixed… but what’s to stop some coder from breaking it again? It’s always been a matter of trust, but MS just lost mine for good when it comes to Windows 10. As long as they don’t break Win8.1 before 2023… bugs start popping up after January 2020, then Linux Mint, here I come!
Bought a refurbished Windows 10 64-bit, currently updated to 22H2. Have broke the AC adapter cord going to the 8.1 machine, but before that, coaxed it into charging. Need to buy new adapter if wish to continue using it.
Wild Bill Rides Again...4 users thanked author for this post.
-
Susan Bradley
ManagerOctober 27, 2018 at 9:45 pm #227629The store process means that apps are vetted so isn’t this a theoretical attack rather than one we will see in reality?ย It’s like the iPhone bugs that they say “first you have to jailbreak the device”…. well yeah….
Susan Bradley Patch Lady/Prudent patcher
1 user thanked author for this post.
-
anonymous
Guest -
Susan Bradley
ManagerOctober 28, 2018 at 1:55 am #227642
-
-
-
Jan K.
AskWoody Lounger -
lurks about
AskWoody LoungerOctober 28, 2018 at 9:25 am #227670What I understood was the problem is UWP apps were granted extensive file reading (writing?) privileges even when the developer did not invoke them or request them. Thus it sounds like a carefully crafted app could harvest files from anywhere on the box and send them to their mothership. How practical this mode would be; I do not know.
1 user thanked author for this post.
-
anonymous
GuestSeff
AskWoody PlusOctober 27, 2018 at 3:21 pm #227601Surely not! Windows 10 is the most secure version of Windows, is it not?
Thanks for the info, Woody.
2 users thanked author for this post.
-
Charlie
AskWoody Plus
lanceboil
AskWoody Loungerb
AskWoody_MVPOctober 27, 2018 at 6:18 pm #227618Thereโs a bug in the UWP API that lets appropriately programmed apps look at all of your data.
But there are unlikely to be any such apps (apart from Microsoft’s App Installer and Diagnostics Data Viewer) because;
If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it.
Docs / Windows / UWP / Develop / Files, folders, and libraries / File access permissionsAnd the capability can be disabled per device, per user or per app.
As for the app crash on 1809; that sounds like a programmer error:
Some capabilities provide apps with access to a sensitive resource. These resources are considered sensitive because they can access the user’s personal data or cost the user money. Privacy settings, managed by the Settings app, let the user dynamically control access to sensitive resources. Thus, it’s important that your app doesn’t assume a sensitive resource is always available.
Docs / Windows / UWP / Develop / Packaging apps / App capability declarations1 user thanked author for this post.
-
woody
Manager
mn–
AskWoody LoungerOctober 29, 2018 at 3:14 am #227837… so, let’s see…
1. UWP apps from outside the Store have direct filesystem access on by default in previous versions of Windows 10, but off by default in 1809. The bug is that the permission dialog doesn’t display automatically on first instance of the specific app requiring this permission.
2. UWP apps that need direct filesystem access and don’t have it, throw an exception that defaults to crashing the app unless caught. The permission state can change while app is running and takes effect immediately.
Now, unless there’s something even weirder going on, surely the user’s UWP apps still run in the normal user context and thus only have at most as much capability as the user’s non-UWP processes, thus not causing any inherent extra risk just due to being UWP? Such as in this case with a business-specific internal app, apparently…?
What I find potentially somewhat risky is the unexpected state change, which logically might prevent the app from saving its data to disk, thus having the potential for data loss. This is not markedly different from non-UWP apps running into an unexpected permissions problem at file open time but might differ for files that were already open, or does the UWP platform prevent continuously open files or something?
Not going into whatever may be going on with the Store – the “vetting” processes would reduce risks but not eliminate.
-
mn–
AskWoody LoungerOctober 29, 2018 at 8:23 am #227856… hm, it seems that the “broad filesystem access” privacy settings entry just isn’t there at all in at least W10 1709…
Now, fromย https://stackoverflow.com/questions/49728846/uwp-c-sharp-folderpicker-without-dialog and elsewhere, broad filesystem access was supposed to either not exist or default to off in older versions.
Anyone know which versions are vulnerable, then? From context I’d guess at least 1803 but could go way back…
-
b
AskWoody_MVPNovember 8, 2018 at 12:46 pm #231464Looks to me like only 1803 (not earlier versions) could possibly have been regarded as vulnerable, and 1809 is not.
But the guy who discovered the bug has now updated his blog entry, and I’m not convinced that he ever considered it to be exploitable:
Update: There has been a bit of misunderstanding on how this works. The broadFileSystemAccess is a restricted capability that an application could be granted, it is not an API. As a developer as well, I have to opt-in to using the capability. Any application in the store with the capability goes through extra verification by the Store team before any user gets it and the user is aware they are granting the application the permission to use the capability as well.
Important information about the new capability of broadFileSystemAccess in UWP apps
-
b
AskWoody_MVPJanuary 17, 2019 at 10:09 am #312781Fixed:
Addresses a privacy issue with apps that obtain the BroadFileSystemAccess capability without a userโs consent.
Viewing 5 reply threads -

Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Welcome to our unique respite from the madness.
It's easy to post questions about Windows 11, Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.
Search Newsletters
Search Forums
View the Forum
Search for Topics
Recent Topics
-
Windows Update orchestration platform to update all software
by
Alex5723
1 hour, 16 minutes ago -
May preview updates
by
Susan Bradley
2 hours, 55 minutes ago -
Microsoft releases KB5061977 Windows 11 24H2, Server 2025 emergency out of band
by
Alex5723
3 hours, 2 minutes ago -
Just got this pop-up page while browsing
by
Alex5723
57 minutes ago -
KB5058379 / KB 5061768 Failures
by
crown
8 minutes ago -
Windows 10 23H2 Good to Update to ?
by
jkitc
16 hours, 4 minutes ago -
At last – installation of 24H2
by
Botswana12
16 hours, 48 minutes ago -
MS-DEFCON 4: As good as it gets
by
Susan Bradley
6 hours, 26 minutes ago -
RyTuneX optimize Windows 10/11 tool
by
Alex5723
1 day, 5 hours ago -
Can I just update from Win11 22H2 to 23H2?
by
Dave Easley
22 hours, 20 minutes ago -
Limited account permission error related to Windows Update
by
gtd12345
1 day, 18 hours ago -
Another test post
by
gtd12345
1 day, 18 hours ago -
Connect to someone else computer
by
wadeer
1 day, 12 hours ago -
Limit on User names?
by
CWBillow
1 day, 16 hours ago -
Choose the right apps for traveling
by
Peter Deegan
1 day, 6 hours ago -
BitLocker rears its head
by
Susan Bradley
14 hours, 1 minute ago -
Who are you? (2025 edition)
by
Will Fastie
12 hours, 58 minutes ago -
AskWoody at the computer museum, round two
by
Will Fastie
1 day, 8 hours ago -
A smarter, simpler Firefox address bar
by
Alex5723
2 days, 4 hours ago -
Woody
by
Scott
2 days, 14 hours ago -
24H2 has suppressed my favoured spider
by
Davidhs
13 hours, 37 minutes ago -
GeForce RTX 5060 in certain motherboards could experience blank screens
by
Alex5723
3 days, 4 hours ago -
MS Office 365 Home on MAC
by
MickIver
2 days, 22 hours ago -
Google’s Veo3 video generator. Before you ask: yes, everything is AI here
by
Alex5723
3 days, 18 hours ago -
Flash Drive Eject Error for Still In Use
by
J9438
13 hours, 22 minutes ago -
Windows 11 Insider Preview build 27863 released to Canary
by
joep517
4 days, 13 hours ago -
Windows 11 Insider Preview build 26120.4161 (24H2) released to BETA
by
joep517
4 days, 13 hours ago -
AI model turns to blackmail when engineers try to take it offline
by
Cybertooth
3 days, 17 hours ago -
Migrate off MS365 to Apple Products
by
dmt_3904
3 days, 17 hours ago -
Login screen icon
by
CWBillow
3 days, 8 hours ago
Recent blog posts
Key Links
Want to Advertise in the free newsletter? How about a gift subscription in honor of a birthday? Send an email to sb@askwoody.com to ask how.
Mastodon profile for DefConPatch
Mastodon profile for AskWoody
Home • About • FAQ • Posts & Privacy • Forums • My Account
Register • Free Newsletter • Plus Membership • Gift Certificates • MS-DEFCON Alerts
Copyright ©2004-2025 by AskWoody Tech LLC. All Rights Reserved.