EPIC GAMES AIN'T CHUFFED with Google for disclosing a vulnerability in its Fortnite game launcher on Android.
On 15 August, Google publically disclosed a bug in the launcher that could have allowed hackers to slip malware into Android devices due to the ability to swap out a genuine 'Android Package (APK) in the launcher for a malicious one if it's given the same package name.
The APK-related flaw in the Fortnite Installer essentially allowed it to be hijacked by an app on the Android device with the WRITE_EXTERNAL_STORAGE permission and enable the APK to be replaced with a fake one that could contain all manner of security nasties, effectively enabling a 'man-in-the-middle' attack.
For the attack to work, the victim would need to have an app on their phone or Android tablet (lol) that was actively looking for the flaw in the Fortnite Launcher.
But if there was such an app it would quickly be able to cause havoc, as the way Android's current permission system policies work is that there's no need to authorise the installation of apps from "unknown sources" one an initial installer or launcher app has been granted access to the device.
As such, an Android could be duped into downloading malicious apps and code that it would think were the genuine Fortnite game, making the flaw quite a nasty one.
However, the flaw was presented as a proof-of-concept, wasn't exploited out in the wild, and was patched with the 2.1.0 version of the Fortnite Installer.
However, Tim Sweeney, Epic' chief executive, wasn't happy with the way Google didn't give the company the normal 90-day window to respond to the vulnerability report and patch it before the public was made aware of its existence.
"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered," Sweeney told Android Central.
"However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
"An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused."
So Google annoyed Sweeney and had him grumble that the search giant should practise more responsible disclosures.
But it's worth noting that this flaw falls under Google's zero-day disclosure policy in which if it believes the flaw is a dangerous enough it will only provide a 7-day deadline for software firms to patch the bug.
"Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves," Google's policy states.
"Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the internet," the search giant added.
The massive popularity of Fortnite and its final arrival on Android means it's likely to be a target of opportunistic hackers looking to tap into people's desire to play the Battle Royale-like game. µ
But it keeps the juicy details firmly under wraps
And Sonny and Cher is on the radio
Gets its post-Windows 7 towel on the sun-lounger