Microsoft silently patched a bug in its Windows 10 operating system with the October 2018 update (version 1809) that allowed Microsoft Store apps with extensive file system permission to access all files on users’ computers without their consent.
With Windows 10, Microsoft introduced a common platform, called Universal Windows Platform(UWP), that allows apps to run on any device running Windows 10, including desktop PC, Xbox, IoT, Surface Hub, and Mixed-reality headset.
UWP apps have the ability to access certain API, files like pictures, music, or devices like camera and microphone, by declaring required permissions in their package manifest (configuration) file.
By default, UWP apps have access to directories, where the app is installed on the users’ system and where the app can store data (local, roaming and temporary folders).
However, to access other files on a system, including sensitive resources, Microsoft offers several types of capabilities that an application can use by declaring their permission in the manifest file.
One such extensive capability, called broadFileSystemAccess (Broad Filesystem Access), allows an application to access the file system at the same level as the user who launched the app.
However, according to Microsoft, this is a restricted capability that, if used, will trigger a user-consent prompt while users first launch the app, asking them to grant or deny this permission to the app.
images from Hacker News