3 min read

Epic Games CEO, Tim Sweeney has accused Google of being “irresponsible” for disclosing a major security flaw in the Fortnite Android Installer to the public eye before patch of this game was widely available.

After the Fortnite installer went live, Google security engineers pointed out a security bug. This showed that installing the file (with .apk extension) shared by Epic Games, enabled the hackers to push malicious apps that could take over a user’s device. To make things even worse, the .apk file shared by Epic Games is the first step to follow while installing the Fortnite game.

As mentioned in the Google thread, “Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK”.

Epic was quick to respond to this and took appropriate action to secure the newer Android devices from being vulnerable to the attacks. Additionally, Epic had asked Google for 90 days before making the security issue public as it would provide users with enough time to update the installers. However, last Friday, Google released a thread titled “Fortnite Installer downloads are vulnerable to hijacking” that talks about the vulnerability issues in the installer, clearly not granting Epic the requested 90 days. Google proceeded to “unrestrict the issue in line with Google’s standard disclosure practices”.

Google spokesperson said that “User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue”.

Epic games didn’t appreciate the move, and its CEO Tim Sweeney released a statement saying how “Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered. However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.”

Sweeney also took to Twitter to express his disapproval regarding the situation.

He even went ahead to say that this was Google’s attempt to “score cheap PR points” against Epic as they decided to release Fortnite via their own website instead of Google Play Store. This would have left Google out of the 30% cut it would’ve received with in-app purchases made on Fortnite Android.

“Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play” as mentioned on the Fortnite blog.

This is not the first time that Google has been criticized, Microsoft also accused it of disclosing its vulnerabilities before patches were made widely available.

Now, whether this was really a PR move by Google against Epic cannot be verified. Epic games have now come out with a 2FA or two-factor authentication to “ help protect user accounts from unauthorized access by requiring them to enter an additional code when they sign in”.

Read Next

Google’s incognito location tracking scandal could be the first real test of GDPR

1k+ Google employees frustrated with continued betrayal, protest against Censored Search engine project for China

Google gives Artificial Intelligence full control over cooling its data centers

 

Natasha Mathur
Tech writer at the Packt Hub. Dreamer, book nerd, lover of scented candles, karaoke, and Gilmore Girls.

LEAVE A REPLY

Please enter your comment!
Please enter your name here