
Forum �bersicht Suche Login Registrieren Forums-Blog Landkarte

27	August 2018

'Fortnite' developer had sharp words for Google after the scary Android exploit was discovered

Google essentially got slapped hard when Epic Games, the developer on the super popular Fortnite, did not make the overall game available with the Play Store, but via its app.

Google warned Epic that this could potentially put Android users at greater security risk, however the game developer brushed it, insisting on-going it alone for a lot of reasons � including lacking to give Google a cut in-app revenue and "embracing open platforms."

Well, now the worst has happened. Despite having no obligation to take action, Google recently discovered an exploit inside the Fortnite installer app that allowed malicious apps set up on one's Android phone to hijack the download process to ensure that instead of downloading the overall game from Epic's server, it could possibly download and install something entirely different, which might leave the product open to attacks.

SEE ALSO: What You Should Know About 'Fortnite' Addiction

Here's a simple run-down of the items happened:

Google first discovered the vulnerability inside on the Fortnite installer app on Aug. 15 and immediately notified Epic. Details for that exploit Fortnite Items weren't public yet. Within 48 hrs, Epic patched the Fortnite installer and deployed it to any or all Android users who installed the app.

Here's where things obtain a little ugly. Even though Epic quickly released a patch with the installer app, it asked Google not to ever disclose the details on the exploit until after three months. Not only would there be time for users to Buy Fortnite Skins update their installer apps, but hackers also couldn't survive able to take advantage in the bug.

However, Google's bug disclosure guidelines explicitly states this:

"This bug is be subject to a 90-day disclosure deadline. After 3 months elapse or even a patch has been given broadly available, the bug report - including any comments and attachments - can be visible on the public."

Despite Epic's obtain Google to have to wait the full ninety days before disclosing the exploit, Google abided by a unique guidelines and shared the important points.

Per a Google rep posting to a Issue Tracker thread about the bug report:

"...now the patched version of Fortnite Installer may be available for 1 week we will go on to unrestrict this problem in line with Google's standard disclosure practices".

Naturally, the Fortnite developer wasn't happy about Google's decision by any means. Epic provided Mashable the next comment from CEO Tim Sweeney:

"Epic genuinely appreciated Google's effort to execute an in-depth security audit of Fortnite rigtht after our release on Android, and share the effects with Epic and then we could speedily issue an update to solve the flaw they discovered.

However, that it was irresponsible of Google to publicly disclose the technical details with the flaw so quickly, even though many installations we had not yet undergone an update and continued to be vulnerable.

An Epic security engineer, inside my urging, requested Google delay public disclosure for your typical three months to allow time for that update to become more widely installed. Google refused. You can read everthing at
Google's security analysis work is appreciated and conserve the Android platform, however a corporation as powerful as Google should practice more responsible disclosure timing than this, and never endanger users through its counter-PR efforts against Epic's distribution of Fortnite over and above Google Play."

Ultimately, who's inside right and who's inside the wrong? Honestly, neither company is.

Google is correct that Epic's decision not to ever release Fortnite throughout the Play Store leaves the app weaker. As my colleague, Mashable tech reporter Matt Binder, previously clarified: Android users must disable certain Android security permissions as a way to install Fortnite then there is no guarantee they'll make sure you turn it well on after accomplishing this.

Maybe Google in fact is upset at the idea of failing to get enough any revenue through the massively popular game (apps on Google Play pay a share of the sales to Google), as Sweeney implied. But the Android gatekeeper maintains what has speedy disclosure from the exploit was done inside name of user security.

Following Sweeney's statement, Google had only this to state in response to Mashable's obtain comment: "User security is our the goal, so when part of our proactive monitoring for malware we identified a vulnerability within the Fortnite installer. We immediately notified Epic Games and so they fixed the matter."

And the simple truth is, Google does use a responsibility to make certain users are secure. Otherwise, third-party developers could provide entire platform a level worse reputation.