Epic Games made the decision to not use the Google Play Store for Fortnite on Android in early August, shortly ahead of its release. Google has warned Epic that this puts players at risk, Epic has continued with their installer despite this. As expected, Google has discovered an exploit in Epic’s installer.
Unfortunately, the exploit allows a malicious user or app to hijack the Fortnite download process and route the download away from Epic’s servers to install something entirely different. This is known as a Man-in-the-Disk (MitD) attack. Google has no obligation to look for exploits in Epic’s installer. The decision was likely made to keep the vulnerability from tarnishing the name of the Android platform.
Google discovered the vulnerability on August 15th at 7AM PT and privately notified Epic Games immediately. Within 7 minutes Epic acknowledged the exploit. 10 hours later Epic confirmed they reproduced the exploit and are working on a fix. The next day, August 16th at 4:12PM PT, Epic stated they have deployed a fix to players.
2 hours after the patch, Epic requested that Google withhold details of the exploit. The request was for a full 90 days so that players are given ample time to patch their devices.
To Epic’s dismay, Google proceeded to publicize the vulnerability only 7 days after the patch was deployed to players. Google’s bug disclosure guidelines specifically states that they will disclose a bug within the first 90 days.
“This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public.”
As expected, Epic Games was not happy with this decision. Tim Sweeney, CEO of Epic Games and Founder of the Unreal Engine provided Mashable with the following statement:
“Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.
However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.
An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336
Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.”
Ultimately, neither Google or Epic Games are in the right in this situation. Google is right in saying that avoiding the Google Play Store puts Fortnite players at a security risk. On the other hand, Epic requested that Google wait the full 90 days prior to disclosing the exploit, but Google ignored this request giving the follow stating to Mashable:
“User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue.”
What do you think? Should Google have been more understanding with Epic’s request, despite Epic’s decision which will lose Google at least $50,000,000? Let us know!