Fortnite Hacker Hole Found by Google, Epic Complains
Two weeks ago, Google researchers found a very serious security hole in Fortnite's Android installer. The flaw — which Epic Games has patched — would have let hackers manipulate the Fortnite installer to load other apps, leaving users’ phones wide open to attack.
Google publicly disclosed the vulnerability a week after Epic Games fixed it, but that prompted Epic Games CEO Tim Sweeney to accuse Google of acting in bad faith.
If you've already got Fortnite installed on Android, you're probably safe, as the installer app should have updated itself over the past 10 days. But just to be safe, make sure that the Fortnite installer app on your phone is at version 2.1.0.
Epic Games — developer of the extremely popular online battle royale-style game previously available for PlayStation 4, Switch, Xbox One, macOS, iOS, and Windows — decided earlier this month not to release the game in the Google Play app store so that Epic Games could avoid paying the 30-percent cut of sales, as every Android (and Apple) developer that goes through the official app store does.
Epic’s decision — which forced users to change critical security settings in their Android phones that open the way for malicious activities — prompted sharp criticism from security experts all over the internet.
The critics appear to have been right. Google’s security experts found out that the Fortnite Android installer for Samsung's Galaxy phones includes code that makes possible a man-in-the-disk attack, This allows evil apps with low privileges to get control over the Fortnite installer in order to install other malicious apps with higher permissions. (It is not clear whether the installer app for non-Samsung phones was affected.)
Google reported the flaw to Epic Games on the morning of Aug. 15, and the game developers had a fix (version 2.1.0 of the installer) out the door within 36 hours. Fortnite installer apps already on user phones should update to the patched version automatically.
Yet Epic Games strongly criticized Google for publishing information about the installer flaw on Aug. 24, only eight days after the patch was available. The company claims that Google did this in bad faith after Epic specifically asked them not to disclose the bug.
"We asked Google to hold the disclosure until the update was more widely installed," Sweeney tweeted Saturday (Aug. 25). "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
However, Google’s own security policies establish that security bug reports will be made public after 90 days of the disclosure or after "a patch has been made broadly available." The 90-day windows is to give developers time to fix problems, not to give users three months to install patches. Security experts generally agree that vulnerability patches should be installed as soon as they become available.
Source: tomsguide
Latest Jobs
-
- ForgeRock Consultant
- Spain
- Upto €85000 plus benefits
-
ForgeRock deployment consultant is needed for this expanding IT Services business within Spain, to act as their ForgeRock technical lead, Responsibilities include: High level and low level design, Scoping the techical needs of the project design, configure, develop and test the forgeRock deployment. We are looking for a strong IAM consultant ideally with ForgeRock experience, Must have strong Oauth 2.0, SAML and API experience
-
- IAM Consultant
- France
- Upto €85000 plus benefits
-
An Identity & Access Management Consultant is needed for an expanding IT Security consultancy, based in France. (Remote role with monthly office meet-ups) The Identity & Access Management Consultant will be responsible for the technical design and implementation of Identity & Access Management/IAM products for a wide variety of clients. Deliver bespoke end-to-end consultancy service to our clients, from gathering requirements through to implementation. Work in a close team designing, developing, and implementing first-class IAM solutions. Manage client relationships, working closely with key stakeholders to continually evaluate business requirements and ensure the highest quality solution delivery. If you are interested we are looking for an individual with Previous experience working within the IAM or CIAM field is essential, Strong knowledge with SAML and Oauth and ideally OpenID Previous experience from any of these technologies: One Identity, SailPoint, Saviynt, Ubisecure, Ping Identity, would be advantageous
-
- Ping Identity Support Consultant- IAM Support
- Madrid
- upto €60,000 plus benefits
-
As the Ping Support specialist, you would be part of a team focused on Single Sign On (SSO) / Federation and Multifactor authentication, protecting our clients from unauthorized access and cyberattacks. The position is to provide 2nd/ 3rd line support, for the following tech. SSO, Federation, Reverse Proxy infrastructure, Apache servers, and its associated components and applications To be responsible for the day to day operational support, performance, tactical lifecycle management, and continuous improvement of the respective IT infrastructure. We are looking for someone with strong SAML and OAuth Knowledge as well as experience supporting the Ping portfolio of solutions Identity, Access, Federate
-
- IAM Architect Ping Identity, Access Federate
- Stuttgart
- Up to €110,000 plus benefits
-
An experienced Ping Identity Architect is needed for this global brand who are looking for someone who wants to join a growing Cyber Security team. We are looking for a senior Architect who can be responsible for the full IAM portfolio, including overseeing all BAU work as well as being responsible for the future strategy and development of the IAM portfolio further development and strategy You will be responsible for ensuring all architectures and best practices within the architecture framework are maintained and developed We are looking for someone with a strong Ping background, in Ping identity, federate, and Access, you will have worked as a senior consultant or architect in previous roles and ideally have some team-leading experience You will have good knowledge of architectural principles and patterns and their implementation into system and software design Experience in handling container technologies, cloud technologies, CI/CD (DevOps) and LDAP