Fortnite Hacker Hole Found by Google, Epic Complains
Two weeks ago, Google researchers found a very serious security hole in Fortnite's Android installer. The flaw — which Epic Games has patched — would have let hackers manipulate the Fortnite installer to load other apps, leaving users’ phones wide open to attack.
Google publicly disclosed the vulnerability a week after Epic Games fixed it, but that prompted Epic Games CEO Tim Sweeney to accuse Google of acting in bad faith.
If you've already got Fortnite installed on Android, you're probably safe, as the installer app should have updated itself over the past 10 days. But just to be safe, make sure that the Fortnite installer app on your phone is at version 2.1.0.
Epic Games — developer of the extremely popular online battle royale-style game previously available for PlayStation 4, Switch, Xbox One, macOS, iOS, and Windows — decided earlier this month not to release the game in the Google Play app store so that Epic Games could avoid paying the 30-percent cut of sales, as every Android (and Apple) developer that goes through the official app store does.
Epic’s decision — which forced users to change critical security settings in their Android phones that open the way for malicious activities — prompted sharp criticism from security experts all over the internet.
The critics appear to have been right. Google’s security experts found out that the Fortnite Android installer for Samsung's Galaxy phones includes code that makes possible a man-in-the-disk attack, This allows evil apps with low privileges to get control over the Fortnite installer in order to install other malicious apps with higher permissions. (It is not clear whether the installer app for non-Samsung phones was affected.)
Google reported the flaw to Epic Games on the morning of Aug. 15, and the game developers had a fix (version 2.1.0 of the installer) out the door within 36 hours. Fortnite installer apps already on user phones should update to the patched version automatically.
Yet Epic Games strongly criticized Google for publishing information about the installer flaw on Aug. 24, only eight days after the patch was available. The company claims that Google did this in bad faith after Epic specifically asked them not to disclose the bug.
"We asked Google to hold the disclosure until the update was more widely installed," Sweeney tweeted Saturday (Aug. 25). "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
However, Google’s own security policies establish that security bug reports will be made public after 90 days of the disclosure or after "a patch has been made broadly available." The 90-day windows is to give developers time to fix problems, not to give users three months to install patches. Security experts generally agree that vulnerability patches should be installed as soon as they become available.
Source: tomsguide
Latest Jobs
-
- IT Cyber Security Recruitment Consultant – Hot Desk
- Beckenham
- Dependent on Experience
-
IT Cyber Security Recruitment Consultant – Hot Desk | Beckenham, London, UK | Training Provided | Rapid Career Development for achievers | No Threshold Commission Scheme | Luxury Target Based Rewards & Incentives | Previous Cyber Security Sales/Recruitment Experience Required. DCL Search & Selection are a client focussed niche recruitment company with over 26 years of experience within the IT Industry. We are looking for an IT Cyber Security Recruitment Consultant due exponential growth and investment in the industry. Why DCL? No Threshold & Commission Scheme up to 30%. Endless training & support CRM Database with an exceptional amount of both Clients and Candidates Minimal Admin work Rapid promotion for achievers 3 Computer Screens & work mobile. LinkedIn Recruiter License Join a creative team of IT Recruitment Consultants dedicated to connecting talent The IT Cyber Security Recruitment Consultant will be responsible for: Identifying, qualifying and approaching passive cyber security candidates through numerous methods and guiding them through the recruitment process. Winning new business/ developing existing relationships Achieving and exceeding sales targets Self-managing daily tasks to make sure that you will be as successful as possible Having a structured approach with a solution selling ability as the sales cycles are not as quick. What we are looking for: Previous & Successful B2B / Business to Business Sales/Recruitment experience within the Cyber Security Industry. Excellent telephone manner Professional, fast-paced, driven and ambitious Mature and honest and a passion to succeed Commutable to Beckenham Want to know more? Click Apply or email your CV to lucycinder@dclsearch.com or call 02086634030. (Cyber Recruitment Jobs, IT Recruitment, IT Recruitment Consultant, Executive Search Consultant, IT Executive Search Consultant, IT Headhunter, Recruitment Headhunter)
-
- P3M3 Project Manager Cyber
- London
- £75,000+
-
Ref CH7790 P3M3 Project Manager Cyber London Experienced Project Manager with a Cyber Security focus is needed to join a London business. In you are a certified P3M3 project / program manager with Cyber experience I want to speak with you. Specific experience across Axelos best practice P3M3 (version 3) is essential. Specifically across the P3M3 maturity models; Portfolio Management (PfM3) , Programme Management (PgM3), and Project Management (PjM3) I am looking for a project / programme manager that has experience taking clients from and through the maturity Level 1 to Level 5. Specifically helping them to identify their challenge / requirements in existing / upcoming projects and effectively deliver change. Through the seven perspectives of; Organisational governance, Management control, Benefits management, Risk management, Stakeholder management, Finance management and Resource management. All details kept in the strictest of confidence. Apply today for more information. Chris.Holt@dclsearch.com 07884666351
-
- Government / Public sector Cyber Security Consultant
- London
- Up to £60,000
-
CH7789 Government / Public sector Cyber Security Consultant £60,000 London Government / Public sector Cyber Security Consultant is needed to join a Consultancy in Great London. Security clearance is a must. This management consultancy delivers advisory, project definition / rescoping, business transformation, Cyber security programs and have a requirement for 3 new hires. The Government / Public sector Cyber Security Consultant MUST have current experience working within the Government / Public Sector. A blend of broad technical solutions, consultative advisory skills is essential. Your role will include, but not be limited to; across engaging with senior stakeholders, requirement identification, business analysis, technical consulting, business transformation, secure technical design, workshops / Cyber table top exercises etc CCP (CLAS) SC / DV clearance. Must be happy to travel within the UK. All details kept in confidence. Apply today to find out more. Chris.Holt@dclsearch.com 07884666351
-
- Cyber IR Threat hunter, Managed Detection & Response, Remote UK
- United Kingdom
- £55,000 + benefits
-
REF CH7787 Cyber IR Threat hunter, Managed Detection & Response, Remote UK £55,000 + benefits Cyber IR Threat hunter with Managed Detection & Response experience needed. Can be remotely based or in London (if you are commutable) This is an opportunity to be deeply involved in heart of a technical cyber investigation, often working on technically complex situations with international clients. The Cyber IR Threat hunter with Managed Detection & Response consultant will work remotely connecting into live client environment to gain technical visibility on the incident, monitor engagements and help formulate a plan to eradicate remediate the situation. Hands on experience in the following is essential; Network behaviour analysis, Cyber security incident response / malware analysis, Managed Endpoint detection and response solutions i.e. Carbon Black, Countercept, Threat detect. Digital forensics, threat detection, hunting / analysis. Scripting Interest to hear from individuals with experience innovating and developing capabilities. All details kept in the strictest of confidence.