Fortnite Hacker Hole Found by Google, Epic Complains
Two weeks ago, Google researchers found a very serious security hole in Fortnite's Android installer. The flaw — which Epic Games has patched — would have let hackers manipulate the Fortnite installer to load other apps, leaving users’ phones wide open to attack.
Google publicly disclosed the vulnerability a week after Epic Games fixed it, but that prompted Epic Games CEO Tim Sweeney to accuse Google of acting in bad faith.
If you've already got Fortnite installed on Android, you're probably safe, as the installer app should have updated itself over the past 10 days. But just to be safe, make sure that the Fortnite installer app on your phone is at version 2.1.0.
Epic Games — developer of the extremely popular online battle royale-style game previously available for PlayStation 4, Switch, Xbox One, macOS, iOS, and Windows — decided earlier this month not to release the game in the Google Play app store so that Epic Games could avoid paying the 30-percent cut of sales, as every Android (and Apple) developer that goes through the official app store does.
Epic’s decision — which forced users to change critical security settings in their Android phones that open the way for malicious activities — prompted sharp criticism from security experts all over the internet.
The critics appear to have been right. Google’s security experts found out that the Fortnite Android installer for Samsung's Galaxy phones includes code that makes possible a man-in-the-disk attack, This allows evil apps with low privileges to get control over the Fortnite installer in order to install other malicious apps with higher permissions. (It is not clear whether the installer app for non-Samsung phones was affected.)
Google reported the flaw to Epic Games on the morning of Aug. 15, and the game developers had a fix (version 2.1.0 of the installer) out the door within 36 hours. Fortnite installer apps already on user phones should update to the patched version automatically.
Yet Epic Games strongly criticized Google for publishing information about the installer flaw on Aug. 24, only eight days after the patch was available. The company claims that Google did this in bad faith after Epic specifically asked them not to disclose the bug.
"We asked Google to hold the disclosure until the update was more widely installed," Sweeney tweeted Saturday (Aug. 25). "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
However, Google’s own security policies establish that security bug reports will be made public after 90 days of the disclosure or after "a patch has been made broadly available." The 90-day windows is to give developers time to fix problems, not to give users three months to install patches. Security experts generally agree that vulnerability patches should be installed as soon as they become available.
Source: tomsguide
Latest Jobs
-
- PCI QSA needed. Discreet Opportunity | London | Client facing
- London
- N/A
-
CH08421 PCI QSA needed. Discreet Opportunity | London | Client facing. Payment Card Industry - Qualified Security Assessor - London Seeking someone looking to accelerate their career, into a variety of interesting clients / projects. Must be happy to be onsite with clients- this is not a fully remote role. You must currently hold a valid CISSP or CISM or ISO27001 lead implementer certification AND one of the following; CISA, GSNA, iso27001 lead Auditor, CIA or IRCA ISMS auditor+ Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Network / Security Infrastructure Engineer | West London | Permanent
- London
- N/A
-
Network / Security Infrastructure Engineer | West London | Current Config, Install, upgrade experience On prem / Datacetner experience essential. Hands on experience MUST include: Routing, Switching, Network Security (firewall, IDS etc), Microsoft exchange / Exchange 365. Scripting / automation experience wanted. Python, Powershell etc Regular travel to West London is required. Visa sponsorship not available. Apply today for more information chris.holt@dclsearch.com Use this whatapp link to reach out https://wa.me/message/6USF5RAQBOZIP1
-
- Security Operations / information Security Analyst / Engineer. London
- London
- N/A
-
Security Operations / information Security Analyst / Engineer needed for a London opportunity. A technical hands on role to investigate, escalate and proactively work to protect a globally recognised brand. Someone with SOC Analyst / security engineering background would be well suited. This position will join a small team and would suit someone that has broad experience across the security threat landscape. Experience / knowledge across industry GRC standards such NIST, ISO27001 etc very advantageous and a priority. You will work across multiple teams proactively working to secure the business. Must be able to commute to Central London 3 days a week. Visa sponsorship not available Apply today to find out more.
-
- Security Cleared Penetration Tester: United Kindom
- N/A
- N/A
-
Security Cleared Penetration Tester Deliver technical Penetration tests to the NCSC CHECK standard. Active CHECK Member or Leader status desirable either in Web Application or Infrastructure. Reach out to find out more. Whatsapp directly here https://wa.me/message/6USF5RAQBOZIP1 Or apply today