Apps from the Microsoft Store could exploit a bug to retrieve any of your files from your Windows 10 PC.

Windows developer Sebastien Lachance discovered that by default Universal Windows Platform (UWP) apps can access any user-accessible file on a PC’s drive.

This is despite UWP apps supposedly having to check with users before accessing the file system, outside of their own local storage.

“Recently, I learned that an UWP app can access the entire file system i.e. the app is not restricted to use the LocalStorage or files and folders via a Picker,” Lachance wrote on his blog.

He noticed the bug, in the windows.storage API’s ‘broadFileSystemAccess’ setting, after an app he designed failed to bring up the prompt checking for permission to access the file system.

SEE: Windows 10 power tips: Secret shortcuts to your favorite settings (Tech Pro Research)

Lachance, a Microsoft-certified MVP for Windows Platform Development, says he has confirmed with friends at Microsoft that this is a bug and that it’s been resolved in the Windows 10 October 2018 Update, otherwise known as build 1809. Following the fix, which defaults the ‘broadFileSystemAccess’ setting to off, UWP apps may need to be updated to prevent crashes and Lachance offers guidance on what steps to follow, here.

For users, you can restrict UWP apps access to the file system via the Settings -> Privacy -> File system menu in Windows 10.

Unfortunately, most people don’t have the October Update at present, after Microsoft halted its rollout due to a file-wiping bug.

Multiple reports of bugs in the October Update have emerged in the past month, including an issue handling .ZIP folders and a bug that caused Task Manager to report the incorrect CPU utilization. A subsequent fix for the 1809 build resulted in some HP systems suffering from the Blue Screen of Death, which triggered another update to fix issues with driver compatibility.

In the wake of the October Update rollout being halted, Microsoft has faced calls to slow the pace at which major feature updates are applied to Windows 10 to ensure new releases are more stable. For its part, Microsoft has introduced a way for those testing early builds of the OS under the Windows Insider Program to flag the severity of bugs.

Earlier this year, a security researcher from Norway discovered a trick that exploited UWP apps to make it easier for malware to persist on infected Windows systems between reboots.

Microsoft had not responded to a request for comment at the time of publication.

The big takeaways for tech leaders:

  • A bug in Windows 10 prior to the October 2018 Update, build 1809, allows UWP apps to access any user files without asking for permission.
  • The bug has been resolved in the October 2018 Update but may result in earlier UWP apps crashing.

Read more about the Windows 10