It turns out an important UWP API in Windows 10 has a bug which mean malicious developers are free to roam all over your hard drive and steal any of your data.
UWP apps are meant to be safer due to being sandboxed and confined to their own directories and special folders. The broadFileSystemAccess API allows developers to request access to your whole hard drive, but was meant to prompt users for permission on first use, much like how apps request access to your camera or location.
According to Dotnetapp.com there is a bug in the implementation of this API which means users never get asked for permission, and are granted full file system access by default.
Microsoft has fixed this issue with the October 2018 Update (which of course still has to roll out), but until then all Windows 10 users remain vulnerable.
Some mitigation exists in that developers have to declare the presence of this API in the manifest of the app, and provide justification for its use in the description of the app. Given Microsoft’s lax supervision of the Store however (see the “Google Photos” ad-clicking malware for example), this provides scant protection.
While Microsoft clearly have a fix already with the October 2018 update, we wonder how many exploitable bugs remain undiscovered in the other newly written and untested UWP API code.