Fortnite

Epic Games Calls Google "Irresponsible" for Disclosing Major Fortnite Android Exploit

by Calum Patterson

Share


The CEO of Epic Games, Tim Sweeney, has called Google's decision to publicly disclose details of a major Fortnite Android exploit "irresponsible", accusing Google of attempting "counter-PR" against Epic.

Epic decided not to use Google's 'Google Play' platform for the launch of their popular battle royale game on Android, an unexpected move for some, and now it seems Google could be hitting back.

Google initially warned Epic that bypassing the Play store and using their own launcher would come with security risks that Google would otherwise deal with.

And this possibility became reality, when a 'Man-in-the-Disk' (MiTD) exploit was discovered in the Epic Games launcher, allowing malicious users to 'hijack' the Fortnite app download, and instead install completely different software.

Google discovered the exploit on August 15 and made Epic Games aware immediately. Epic confirmed knowledge of the exploit and said they were working on a fix, and on August 16 at 4:12pm PT, the fix had been rolled out.

Within two hours of rolling out the fix, Epic asked Google to keep private the details of the exploit, which Google says they will do for up to 90 days, to allow users to patch their devices.

But Google did not wait the 90 days, instead disclosing the vulnerability only seven days later. This did not please Epic Games, and prompted Sweeney to make a statement on the issue, speaking to Mashable:

"Epic genuinely appreciated Google's effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google's security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic's distribution of Fortnite outside of Google Play."

Google also had their say on the matter, stating that user security always takes precedence:

"User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue."

Epic clearly feels as though Google purposefully disclosed the exploit earlier than needed as punishment for avoiding the Google Play store.