Windows 10 UWP API vulnerability allow developers to steal all data

Microsoft originally planned UWP applications to improve overall security. After all, all apps can only be downloaded by users through Microsoft audit.
At the same time, UWP applications can only run in their independent sandbox process, and can not access other locations can improve the security of the entire system.

However, the latest discovered vulnerability is to allow UWP applications to access the entire hard disk and file system without user confirmation.

Vulnerabilities in the Microsoft UWP API interface:

Initially, for the convenience of UWP applications to read files in other locations Microsoft provides developers with a ready-made interface, developers only need to call this interface.

Under normal circumstances, when the interface is called for the first time, the UWP application will pop up a dialogue box requesting user permission, and the user must allow the application to access the data.

However, the researchers found a fatal vulnerability in the interface that malicious UWP developers can use to bypass user permissions and request unrestricted access to files.

Although this vulnerability does not cause UWP developers to install other Trojan viruses, it is evident that if you have ulterior motives, you can steal confidential files.

Microsoft has fixed in V1809:

At present, Microsoft has confirmed the existence of the vulnerability and said that it had been adjusted in the Windows 10 Version 1809 version to block the vulnerability.

However, the old version of Windows 10 still does not fix the vulnerability. Fortunately, UWP applications need to be reviewed by Microsoft.

But now Microsoft’s review of the app store is a lot of vulnerabilities. For example, Google Photos, which developers pretend to be Google’s UWP version, has been approved.

So expecting Microsoft manual review to improve security is also a problem, and it is not clear whether a malicious UWP application has exploited the vulnerability.