Microsoft has recently patched a flaw in the Windows 10 October 2018 update, which is still on hold. The flaw resides in the “broadFileSystemAccess” API and could have let a malicious developer of UWP (Universal Windows Platform) apps have access to all of a user’s documents, downloads, files, and photos stored in OneDrive. The flaw was discovered when an enterprise app was broken in the new update. According to researchers, “Normally UWP apps are restricted to certain folder locations, but developers can request access to other locations too, so long as the app is granted permission by the user.” The “broadFileSystemAccess” API permits access to all files that the user has access to. Microsoft promoted this feature for developers to make UWP apps more user-friendly. The feature is restricted though. The first time that its used, the user will be prompted to allow access. If a developer submits an app to the app store with this capability, there will need to be a write-up of why the apps requires the capability and how it will be used. The capability works for APIs in the “Windows.Storage” namespace. Until Microsoft patched the flaw, users were not getting a permission prompt and the API could be used to access the full file system.
For any users concerned about apps installed gaining more access to files than wanted, users can restrict access by opening the Windows 10 Settings app and going to Privacy -> File system. From there you can toggle “Allow apps to access your file system” or remove an app from the list of apps that have file system access.