Fortnite fury over how Google handled its security hole

The thing that security experts said would happen, happened.

Fortnite fury over how Google handled its huge security hole

It feels like only yesterday that we were all talking about how Epic Games was putting Android users at risk by refusing to put its hit game Fortnite into the Google Play store, and instead recommending players disable a security setting to install it.

It wasn’t yesterday though. It was about three weeks ago.

Sadly, in completely predictable news, Google revealed publicly on Friday that it had discovered that Fortnite’s unorthodox Android installer was vulnerable to being hijacked by other apps, allowing any app on your phone to silently download and install anything they like, including apps with full permissions to spy upon you.

Fake fortnite

Google actually privately reported this issue to Epic Games back on 15 August, and - to its credit - the makers of Fortnite worked “around the clock” confirming the vulnerability, developing a fix, testing it, and rolling it out.

However, Epic Games is not at all happy with Google’s security researchers now making details of the vulnerability public.

In the opinion of Epic Games boss Tim Sweeney, Google should have waited longer before going public with details of the “man-in-the-disk” security hole.

In summary:

  • Epic Games doesn’t want its game to be in the Google Play store because they don’t like to give Google such a big percentage of the game’s revenue.
  • Epic Games announces that it will release Fortnite outside of the Google Play store, and devises its own installer (which on many devices, requires for a security setting to be disabled).
  • Legions of security-savvy folks say that this is bad from the security point of view. I chimed in with my own article and discussed the issue on a recent edition of the “Smashing Security” podcast.
  • Epic Games shoots itself in the foot, by releasing an insecure Android installer for Fortnite.
  • Google, at no charge to Epic Games, puts some of its most skilful security researchers to work - and uncovers a serious security hole in the Fortnite installer for Android. They tell Epic Games about it.
  • Epic Games fixes the vulnerability, and asks Google to keep quiet about it for three months.
  • Google says ‘no dice’, and goes public about Epic Games’s failure after a week.
  • Epic Games gets upset.

In the past I’ve been critical of how keen Google is to make public details of vulnerabilities in other vendors’ software, which has sometimes occurred before patches are available.

Microsoft too has, in the past, been left fuming after Google disclosed details of unpatched zero-day vulnerabilities in Windows before there has been a decent amount of time to fix them and roll out the fixes to vulnerable users.

I can understand why some may feel that Google has acted inappropriately again on this occasion. But lets not forget some key points:

It was Epic Games which decided not to distribute its software in the (safer) Google Play store against the advice of security experts. It was Epic Games which failed to properly quality control one of the world’s most popular video games and allow its vulnerable code to be installed on tens of millions of devices.

If Google hadn’t found the security hole there is a chance that a malicious hacker would have done, and potentially could have put a large number of Android users at risk because of Epic Games’s utter failure to do its job properly.

Fortnite installer

One side note:

Google’s self-written vulnerability disclosure rules dictate that it will publicly reveal details of bugs 90 days after reporting them to software developers if they have not been addressed. But if a patch has been made “broadly available” then it will only wait one week before releasing details.

When Epic Games said it had released a patch, Google started the clock for disclosure.

However, Epic Games boss Tim Sweeney argues that their installer only updates itself if players runs it or runs the game.

In other words, Epic Games is concerned that not all installations of Fortnite will have received the update yet.

Huh. Isn’t that an argument for being in the Google Play store? That way the vulnerable code would have been updated automatically rather than hopefully waiting for a user to click on an icon.

Tags: , , , ,

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, , , ,

2 Responses

  1. not a spammer, just a sincere person

    September 1, 2018 at 4:59 am #

    you’re just licking google’s ass

    • Graham Cluley in reply to not a spammer, just a sincere person.

      September 1, 2018 at 4:50 pm #

      Google’s donkey??

      Anyway, if you care to read some of my numerous other articles about Google’s disclosure of other software vendors’ vulnerabilities you’ll find your analysis is unlikely.

      For instance, https://www.grahamcluley.com/google-discloses-microsoft-windows-vulnerability/

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.