This new security flaw could allow malicious developers to access user’s files
Microsoft has solved a vulnerability in Windows 10 update for October, 2018, almost secretly because, according to experts in cybersecurity and digital forensics from the International Institute of Cyber Security, previous updates did not report to users when applications requested permission to access all files on the user’s system.
The error in the Windows API ‘broadFileSystemAccess’ could have given a malicious developer of Universal Windows Platform (UWP) access to all documents, photos, downloads and files of a user stored in OneDrive.
The incident was detected by digital forensics expert Sébastien Lachance, who created a business application that collapsed suddenly in the October 2018 Windows 10 update, also known as Build 1809; this version of the update is currently waiting for Microsoft to complete data-loss bug correction tests.
Regularly, UWP applications are restricted to certain folder locations, but developers can also request access to other locations, provided the user grants permission to the application.
As Microsoft points out, the ‘broadFileSystemAccess’ API provides access to all the files a user has access to. Microsoft promoted the role as a way for developers to make their UWP applications easier to use.
“This is a restricted capacity. In the first use, the system will ask the user to allow access. The access can be configured in Settings > Privacy > File system”, explains Microsoft. “If you send an application to the store declaring this capability, you will need to provide additional descriptions of why your application requires this capability and how you intend to use it”.
The problem is that, until version 1809, users did not receive the permission request and the API could be used to access the entire file system.
According to Lachance, the dialogue is intended to be shown to a user in the first use of the application. Microsoft recognized that this is a privacy issue and therefore disables the value of the wide-access file system.
If users are concerned that an installed application has obtained access to a wider file margin than the default, users can limit that access in Settings > Privacy > file.
According to specialists in digital forensics, developers who previously used the API can also find that their UWP applications are now blocked when users change to version 1809.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.