Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com)

Posted by msmash on from the man-yells-at-cloud dept.

The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

13 of 230 comments (clear)

  1. They're miffed by Hylandr · · Score: 5, Insightful

    Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    1. Re:They're miffed by 93+Escort+Wagon · · Score: 4, Insightful

      People should've already been aware that Google isn't above playing politics with software vulnerabilities.

      We've also seen it go the other way - where Google held onto vulnerability announcements regarding its own software far longer than the 90 days (or whatever it specifically is) Project Zero generally says is how long they're willing to wait.

      --
      #DeleteChrome
    2. Re:They're miffed by magarity · · Score: 5, Insightful

      There's 2 sides to this:
      1. Google wants to get a cut
      but
      2. Users really, really, really, don't need yet another gaping security hole AKA "installer" on their devices.

    3. Re:They're miffed by spire3661 · · Score: 2, Insightful

      Users really really need to get software from places other than google.

      --
      Good-bye
    4. Re:They're miffed by Anonymous Coward · · Score: 1, Insightful

      Then really really put the effort into doing it right. Security is not easy - nor cheap.

      That Epic had users installing this is fucking terrifyng.

  2. Google was right here by Anonymous Coward · · Score: 1, Insightful

    If an application is allowing malware to be sideloaded, the users have damn well a right to know about it.

  3. It ceratinly makes sense. by nimbius · · Score: 4, Insightful

    Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
    however...google has everything to lose if the idea of operating outside its walled garden catches on.

    --
    Good people go to bed earlier.
  4. Re: Irresponsible Epic released vulnerable code. by barc0001 · · Score: 1, Insightful

    Google doesn't distribute Android? When did that happen?

    Regardless, anyone with two brain cells to rub together could see this shitshow (and more in future) coming the second Epic announced that in order to install their software you'd have to allow uncertified install packs on Android. Many many people do not have the technical acumen to understand the full ramifications of that, and will probably forget to flip the switch when they're done, so a whole host of malware providers are even as we speak licking their chops waiting to take advantage of the holes in the devices Epic has just convinced their users to open.

    Does Google charge too much on the Play Store? Probably. But it's their store and they can set any price they think the market will bear, just like anyone else. That's the deal for using Android. Epic is being very irresponsible.

  5. Re:So what's the full story by SantiagoMcRib · · Score: 5, Insightful

    This is well stated. And for those that think that it's vindictive on Google's part, well... you're not wrong, but it's the consequence of releasing outside the ecosystem that would automatically deploy the update to the install base.

    I think a lot of people are failing to realize that the 30% cut isn't just to make Google money, but also to fund the infrastructure to host and deploy apps according to their own best practices.

  6. Re:So what's the full story by Albanach · · Score: 5, Insightful

    Let's think about what Epic were asking for. They'd prefer users not be notified of a critical vulnerability for three months and instead just wait to see how many upgrade naturally.

    Google on the other hand have a published policy that they will notify of security events after 90 days if un-patched or after a patch is widely available, exactly what happened here.

    While Google does have a strong financial incentive to stop other companies from operating outside the play store, they also have an incentive for Android not to be viewed as a less secure mobile operating system. It seems to me that, if you want to encourage security patches to be applied, you would want to let users know that their existing install has a critical vulnerability. Why Epic would prefer silence can be inferred, but it's not to the benefit of their customers.

  7. Reverse Engineer by Luthair · · Score: 4, Insightful

    The moment a patch is released attackers have the opportunity to reverse engineer the patch to find the vulnerability regardless of whether there is a subsequent disclosure or not. By this vulnerability being widely circulated in the press its more likely users will upgrade or uninstall than hoping users launch fortnite in the next 90-days. I imagine the real issue Epic has here is that they do not want the bad press leading to users who downloaded Fortnite to try uninstalling.

  8. Re:So what's the full story by Xylantiel · · Score: 4, Insightful

    It doesn't help that if Epic's launcher had been distributed through the play store, I think having it update would be less of a problem. And this is one of the major security advantages of distributing through the play store. So you can view the entire decision of Epic to not distribute through the Google store as sacrificing user security for more money. I don't even want to know how many scam download sites there are. It is a lot harder to tell the difference on a phone than on a desktop. If this is any indication of how seriously Epic takes their customers' security, one better assume it's pretty much a field day of vulnerabilities.

    I happen to agree that the Google play store is kindof onerous, but what Epic has done is a worse solution from the user standpoint and failed in a completely predictable way in this case. There are other possible solutions, but the handset vendors are too used to having Google do a lot of things for them to push the issue, or too hostile to each other to work together. ...or maybe it actually all comes back to DRM such that an actual open and fair platform is untenable from the start.

  9. Re: Hard to care about either party... by thaylin · · Score: 5, Insightful

    AFTER it has been patched so uses can patch? That is not how it works dude. If they announced the bug BEFORE a patch was made available then sure, but after a patch is released it is more irresponsible to NOT release the details because people wont know they need to patch, but exploiters will know there was a patch and can seek it out.

    --
    When you cant win, ad hominem.