Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Google Security IT Technology

'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com) 230

The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."
This discussion has been archived. No new comments can be posted.

'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief

Comments Filter:
  • They're miffed (Score:5, Insightful)

    by Hylandr ( 813770 ) on Monday August 27, 2018 @11:47AM (#57203774)

    Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.

    • Re:They're miffed (Score:5, Insightful)

      by 93 Escort Wagon ( 326346 ) on Monday August 27, 2018 @11:58AM (#57203870)

      People should've already been aware that Google isn't above playing politics with software vulnerabilities.

      We've also seen it go the other way - where Google held onto vulnerability announcements regarding its own software far longer than the 90 days (or whatever it specifically is) Project Zero generally says is how long they're willing to wait.

    • Re:They're miffed (Score:5, Insightful)

      by magarity ( 164372 ) on Monday August 27, 2018 @12:03PM (#57203902)

      There's 2 sides to this:
      1. Google wants to get a cut
      but
      2. Users really, really, really, don't need yet another gaping security hole AKA "installer" on their devices.

  • by alvinrod ( 889928 ) on Monday August 27, 2018 @11:47AM (#57203780)
    I'd at least like to hear Google's side of this first.

    Would hate to unpack the pitchfork for nothing and all that.
    • by thaylin ( 555395 ) on Monday August 27, 2018 @11:52AM (#57203824)

      Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

      • by u19925 ( 613350 )

        Google does not provide level of details that id did for Epic flaw immediately after the patch is made generally available.

        • If their software was distributed via Google Play, the patch would have been installed automatically for the majority of users after a few days. By default phones are set to auto-update apps when they're on WiFi and charging. Google Play itself always auto-updates. Epic is saying after a week hardly anyone has updated their installer.

      • by SantiagoMcRib ( 3238871 ) on Monday August 27, 2018 @12:06PM (#57203922)

        This is well stated. And for those that think that it's vindictive on Google's part, well... you're not wrong, but it's the consequence of releasing outside the ecosystem that would automatically deploy the update to the install base.

        I think a lot of people are failing to realize that the 30% cut isn't just to make Google money, but also to fund the infrastructure to host and deploy apps according to their own best practices.

        • by Zmobie ( 2478450 )

          Some money is appropriate, but 30% is pretty damn excessive. Factor in the taxes and most of the companies are lucky to get half of what they are charging and a bunch of that I'm sure is overhead.

          • They don't pay tax on the 30% Google took.
            They also don't need to run any of their own infrastructure, pay for bandwidth or pay a payment processor, which for very small transactions like in-app purchases, will charge a lot higher than the "normal" 2.5%.
            They also don't need to worry about the security implementation of the payment system in their app. Or the security of the installation manager software, which apparently did Epic not worry about, they completely disregarded any attempt at security.

      • Exactly. I'd like to add that in this case, it doesn't seem like they should have followed the rules.

        Epic's game and installer is a non-essential add-on. Removing a downloaded exploit is a fine and normal solution to cleaning the device. The users should have been notified immediately to implement the obvious solution.

    • Re: (Score:2, Informative)

      by u19925 ( 613350 )

      I'd at least like to hear Google's side of this first.

      You heard google already. They told what they had to when they announced the security issue. Only then Epic has reacted. In this instance, Google is outright greedy and wants to kill anybody who wants to distribute software outside of Google Play store. So much for the open Android platform. Manufacturers cannot fork Android otherwise none of the phones can be connected to Play Store. They must install dozens of privacy invading Google apps in default settings otherwise no Play Store. Android are simply Goo

    • by Albanach ( 527650 ) on Monday August 27, 2018 @12:17PM (#57203998) Homepage

      Let's think about what Epic were asking for. They'd prefer users not be notified of a critical vulnerability for three months and instead just wait to see how many upgrade naturally.

      Google on the other hand have a published policy that they will notify of security events after 90 days if un-patched or after a patch is widely available, exactly what happened here.

      While Google does have a strong financial incentive to stop other companies from operating outside the play store, they also have an incentive for Android not to be viewed as a less secure mobile operating system. It seems to me that, if you want to encourage security patches to be applied, you would want to let users know that their existing install has a critical vulnerability. Why Epic would prefer silence can be inferred, but it's not to the benefit of their customers.

      • It is certainly reasonable for server-side software in which a security team ensures that the current installation is not vulnerable to exploits, and performs the required patching/updating operations.
        For commercial software aimed at general users, the benefits of (very) prompt disclosure are more questionable:
        - Regardless of the disclosure status, these users will most likely never hear about it.
        - Even if they hear about it, in the specific case of games such as Fortnite, a significant proportion of the
      • by Xylantiel ( 177496 ) on Monday August 27, 2018 @01:30PM (#57204692)

        It doesn't help that if Epic's launcher had been distributed through the play store, I think having it update would be less of a problem. And this is one of the major security advantages of distributing through the play store. So you can view the entire decision of Epic to not distribute through the Google store as sacrificing user security for more money. I don't even want to know how many scam download sites there are. It is a lot harder to tell the difference on a phone than on a desktop. If this is any indication of how seriously Epic takes their customers' security, one better assume it's pretty much a field day of vulnerabilities.

        I happen to agree that the Google play store is kindof onerous, but what Epic has done is a worse solution from the user standpoint and failed in a completely predictable way in this case. There are other possible solutions, but the handset vendors are too used to having Google do a lot of things for them to push the issue, or too hostile to each other to work together. ...or maybe it actually all comes back to DRM such that an actual open and fair platform is untenable from the start.

  • by Austerity Empowers ( 669817 ) on Monday August 27, 2018 @11:51AM (#57203816)

    It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes. Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.

    Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.

    • Re: (Score:2, Interesting)

      by drinkypoo ( 153816 )

      It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes.

      That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

      Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.

      And that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

      Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.

      Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?

      • by thaylin ( 555395 )

        That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

        I disagree. In order to install the app they had to disable several security mechanisms, and probably not turn them back on. They told epic about the flaw and waited for them to fix it, once it was fixed and released a patch it is best for all people to know they need to immediately patch, since there are no guarantees their loader auto patches.

        and that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

        incorrect. Google has an obligation to continue, unless you think flaws should not be disclosed unless they fail to fix them?

        Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?.

        Again they did not disclose it during th

        • Again they did not disclose it during the fix, they disclosed it after a patch had been released. They followed their own guidelines.

          It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.

          • by thaylin ( 555395 )

            So you are saying Google should have put users in danger by holding on to the discloser, for what reason?

          • It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.

            It looks more like you said they shouldn't have published a vulnerability before the patch was ready, and GP pointed out Google published the vulnerability after the patch was already released and being installed by users for a week.

            Most of us get the advisory that a patch fixes a critical vulnerability the second the patch is released. It's right there in the release notes, right up front.

            Google did more than they were obligated: they kept quiet a week longer than required to let Epic make the annou

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?

        The fix was already made available. As per Google's guidelines, they either announce the issue 90 days after reporting it, or a week after the fix is made broadly available. From the article, the fix was made available on Aug 17, and Google announced the flaw Aug 24 (a week after it was made available).

        Now, whether a week is enough time or not is another question... Epic wanted the full 90 days, Google said nope. How much time would be sufficient? Will everyone who downloaded it update, without knowing

    • If Epic used the app store, the vulnerability never would have existed. It's because they're sidestepping the security there that the problem came to be.

      • So you honestly think that getting software from only on place is the best possible future? Android NEEDS to get programs from places other than google. Why are you cheering this crap on. The faster we break people's complete dependance on Google Play, the better off we will all be.
        • Gp stated correctly that this serious vulnerability would not have existed had Epic not insisted that users disable security protections. That's a fact. Not a wish, not a "best possible future", but a simple fact.

          Kinda like the fact that all your money you've been paying into Social Security is gone. It's been spent. It's not sitting there waiting for you to get it when you're older. Wishing things were different doesn't change the facts.

        • > So you honestly think that getting software from only on place is the best possible future?

          So you honestly think an army of millions of 12 year olds can properly vet and secure their Android device? Like it or not, Android, IOS and similar mobile OSs operate on a walled-garden approach to the average user. Half of the reason we have massive malware problems on Windows is due to anyone and anything installing any application any time without proper vetting. Your Grandma gets a scary popup? She does

          • by tlhIngan ( 30335 )

            How about PalmOS or Symbian apps?

            Actually, PalmOS and Symbian apps were open - there was no app store or anything. You downloaded the files and installed them on your phone.

            Of course, it meant that every app had to implement some sort of demoware thing, and not everyone took a credit card so paying for your software was a PITA (especially if you were outside the US). And you often had the trouble of upgrades so you had to hunt down your registration codes again.

            Yes, things are better now since everyone's pr

            • > Actually, PalmOS and Symbian apps were open - there was no app store or anything. You downloaded the files and installed them on your phone.

              I remember well, and the thing about it was you had to use your PC to download them and then go to the trouble of purposely uploading them to your device. Which, as I mentioned I think is a great idea and is exactly how sideload .apk files should have to work because that would dramatically reduce the chances of someone tricking the average user into running somet

    • I find it hard to care about either party when two evil companies are battling it out for the evil crown that only hurts the two evil companies.

      They both suck, just in different ways.

    • When you think you're going the "extra mile" for somebody else, but you're not actually part of their team, and they tell you to stop... That means you weren't helping.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Monday August 27, 2018 @11:52AM (#57203832)
    Comment removed based on user account deletion
    • > Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
      They do have something to lose, the security of and confidence in Android. Disclosing this bug lets users know about it so they can make sure the vulnerability is closed (like by updating the installer).

    • Exactly how is something meant to run on Android NOT "in its ecosystem"?
  • by thaylin ( 555395 ) on Monday August 27, 2018 @11:52AM (#57203834)

    Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

    The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.

    • Why does Google have any role in this at all? Their role is to develop Android and run their own store. Why are they policing independent developers not using the Google store? Isn't it only Epic's responsibility to communicate with their own customers?

  • by perpenso ( 1613749 ) on Monday August 27, 2018 @11:57AM (#57203862)

    "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

    Allowing the unpatched game to continue running also unnecessarily risks Android users. Doesn't google have the ability to delete an app in Android? If so perhaps they should have deleted the unpatched game versions?

    Looking forward maybe google should have the ability to lock out a vulnerable version of an app. Don't delete it, just prevent it from running, only allow it to be updated to a newer version.

    • Google can do that for Play apps. This whole pissing match started because Epic decided NOT to publish Fortnite on the Play Store.

      • Google can do that for Play apps. This whole pissing match started because Epic decided NOT to publish Fortnite on the Play Store.

        If they can remove a Play app then they can remove a non-Play app. They may not do so currently but that is a choice not a technical issue.

    • "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

      ...amazing how that can be obverted to say "Tim Sweeney refused to prioritize publishing the update and an apology because it would cost Epic PR points".

      ...although seriously, I'm not carping on you about that. You're totally right that Google could have simply dropped a signature for Epic's installer into their vulnerability monitor and instantly yanked it off every Android device if they'd wanted to, but

      • True, I'm just making the point that if we are to judge actions by Epic's "creating an unnecessary risk for Android users" criteria then there may be appropriate actions Epic is not considering.
  • Reverse Engineer (Score:5, Insightful)

    by Luthair ( 847766 ) on Monday August 27, 2018 @12:38PM (#57204170)
    The moment a patch is released attackers have the opportunity to reverse engineer the patch to find the vulnerability regardless of whether there is a subsequent disclosure or not. By this vulnerability being widely circulated in the press its more likely users will upgrade or uninstall than hoping users launch fortnite in the next 90-days. I imagine the real issue Epic has here is that they do not want the bad press leading to users who downloaded Fortnite to try uninstalling.
    • by thaylin ( 555395 )

      You would think most slashdot readers would understand this, apparently not.

      • Most Slashdot readers also understand that if upstream requests that disclosure be delayed because mitigation procedures are in process, then it is normal to respect such a request.

        • by thaylin ( 555395 )

          Except there were no mitigating procedures in process, and google had already identified that nearly all downloads had patched.

          • Rubbish, a patched downloader was being distributed, this is a mitigation procedure. Weasel word "nearly" does not save your argument.

            • by thaylin ( 555395 )

              The patch downloader had ALREADY been distributed, not *being*. and that is not what is meant by "mitigating procedures" I dont know of a reporting company in the world who would say, "well you released a patch, no need to release the details", they all do, all that holding it does is lead to more exploits by people who figure the issue out.

              • The patch downloader had ALREADY been distributed, not *being*

                Where did anybody say that the patched downloader had been completely distributed. Oh right, you made that up. You do understand that the more Google apologists spin this pout with their lame deflections, the longer is stays in view and the worse it looks for Google. don't you? Of course you do. Carry on.

          • by Luthair ( 847766 )
            What mitigation procedure was that, hoping users launch Fortnite at some point? The active player base of fortnite assuredly launches the game more than once a week, disclosing the vulnerability protects the people who have it on their phone and never launch it as they don't have, and may never have the patch installed otherwise.
      • I don't think you even understand it. The vulnerability is that if you connect to a compromised wifi connection and attempt to manually update the app (there is no automatic update) they can spoof the update with their own malicious update.

        If someone uninstalls then searches the web to re-download it using compromised wifi they could be taken to a fake site serving malware. So if someone is naive enough to trust a malicious wifi connection they're even more at risk with this exploit being made public. T
        • by thaylin ( 555395 )

          My god you really went around the neighborhood to try and attack google.

          the exploit was vulnerable to any APP with WRITE_EXTERNAL_STORAGE permission. Any app with the name com.epicgames.fortnite could have been downloaded an installed via that. It did not have to come from a hijacked access point. It was mostly a glorified permissions issue.

          Again, no PR attack, just them following their procedures and being responsible.

  • Google jumped at the chance to punish out of spite, because Epic chose to operate its own store. This is how it looks.

  • by account_deleted ( 4530225 ) on Monday August 27, 2018 @01:44PM (#57204802)
    Comment removed based on user account deletion
  • Everybody has their own rules and guidelines around responsible disclosure. We need an organization like like the IEEE or ACM or CERT to make standard practices for this. This is important because there is always a question of liability. I'd like to know that if I followed the IEEE rules for responsible disclosure that I can be reasonably sure that someone can't sue me.

  • It's very simple, and it's not what this headline says.

    Epic decided to forgo the Play Store for releasing Fortnite.

    Google said "Okay, but this sort of thing can make our platform less secure. Be careful out there."

    Epic releasesd an installer for Fortnite that could install Fortnite without the Play Store.

    Google looks at it, and sees that it can be used to install more than just Fortnite, because it contains some stupidCode that can be used to install all sorts of malicious things because someone at

  • That's really childish of google, especially as Google is only using the 7 day deadline when it's due to a security risk if it's already being actively misused, but it isn't. Normally they have 90 days (or sooner if they notice it being actively being misused).
    So why did they release it with the 7 day deadline? well we all know why...

    • by thaylin ( 555395 )

      Actually the policy says 7 days after a patch has been released, not if being misused, that is their policy.

  • > we worked around the clock (literally) to fix it

    So they put a clock in the middle of the room and arranged their desks around it?

One good suit is worth a thousand resumes.

Working...