Fortnite fury over how Google handled its huge security hole  - fortnite 600 - Fortnite fury over how Google handled its security hole

It feels like only yesterday that we were all talking about how Epic Games was putting Android users at risk by refusing to put its hit game Fortnite into the Play store, and instead recommending players disable a setting to install it.

It wasn’t yesterday though. It was about three weeks ago.

Sadly, in completely predictable news, Google revealed publicly on Friday that it had discovered that Fortnite’s unorthodox Android installer was vulnerable to being hijacked by other apps, allowing any app on your phone to silently download and install anything they like, including apps with full permissions to spy upon you.

Fake fortnite  - fake fortnite - Fortnite fury over how Google handled its security hole

Google actually privately reported this issue to Epic Games back on 1 August, and – to its credit – the makers of Fortnite worked “around the clock” confirming the , developing a fix, testing it, and rolling it out.

However, Epic Games is not at all happy with Google’s security researchers now making details of the vulnerability public.

In the opinion of Epic Games boss Tim Sweeney, Google should have waited longer before going public with details of the “man-in-the-disk” security hole.

In summary:

  • Epic Games doesn’t want its game to be in the Google Play store because they don’t like to give Google such a big percentage of the game’s revenue.
  • Epic Games announces that it will release Fortnite outside of the Google Play store, and devises its own installer (which on many devices, requires for a security setting to be disabled).
  • Legions of security-savvy folks say that this is bad from the security point of view. I chimed in with my own article and discussed the issue on a recent edition of the “Smashing Security” podcast.
  • Epic Games shoots itself in the foot, by releasing an insecure Android installer for Fortnite.
  • Google, at no charge to Epic Games, puts some of its most skilful security researchers to work – and uncovers a serious security hole in the Fortnite installer for Android. They tell Epic Games about it.
  • Epic Games fixes the vulnerability, and asks Google to keep quiet about it for three months.
  • Google says ‘no dice’, and goes public about Epic Games’s failure after a week.
  • Epic Games gets upset.

In the past I’ve been critical of how keen Google is to make public details of vulnerabilities in other vendors’ , which has sometimes occurred before patches are available.

Microsoft too has, in the past, been left fuming after Google disclosed details of unpatched zero-day vulnerabilities in before there has been a decent amount of time to fix them and roll out the fixes to vulnerable users.

I can understand why some may feel that Google has acted inappropriately again on this occasion. But lets not forget some key points:

It was Epic Games which decided not to distribute its software in the (safer) Google Play store against the advice of security experts. It was Epic Games which failed to properly quality control one of the world’s most popular video games and allow its vulnerable code to be installed on tens of millions of devices.

If Google hadn’t found the security hole there is a chance that a malicious hacker would have done, and potentially could have put a large number of Android users at risk because of Epic Games’s utter failure to do its job properly.

Fortnite installer  - fortnite installer - Fortnite fury over how Google handled its security hole

One side note:

Google’s self-written vulnerability disclosure rules dictate that it will publicly reveal details of bugs 90 days after reporting them to software developers if they have not been addressed. But if a patch has been made “broadly available” then it will only wait one week before releasing details.

When Epic Games said it had released a patch, Google started the clock for disclosure.

However, Epic Games boss Tim Sweeney argues that their installer only updates itself if players runs it or runs the game.

In other words, Epic Games is concerned that not all installations of Fortnite will have received the update yet.

Huh. Isn’t that an argument for being in the Google Play store? That way the vulnerable code would have been updated automatically rather than hopefully waiting for a user to click on an icon.

- aa9ea0686c5d1aa9086d4b12c3aa05f2 s 80 d mm r g - Fortnite fury over how Google handled its security hole

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon’s Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Follow him on Twitter at @gcluley, or drop him an email.

Follow @gcluley





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here