Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Irresponsible' Google Refused Fortnite's Request To Delay Vulnerability Disclosure To Score Cheap PR Points, Says Epic's Chief (bbc.com)

Posted by msmash on from the man-yells-at-cloud dept.

The leader of the firm behind the hit game Fortnite has accused Google of being "irresponsible" in the way it revealed a flaw affecting the Android version of the title. BBC, with additional input from Slashdot staff: On Friday, Google made public that hackers could hijack the game's installation software to load malware. The installer is needed because Epic Games has bypassed Google's app store to avoid giving it a cut of sales. Epic's chief executive said Google should have delayed sharing the news. "Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update. The only irresponsible thing here is Google's rapid public release of technical details," he said. "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

25 of 230 comments (clear)

  1. They're miffed by Hylandr · · Score: 5, Insightful

    Google isn't playing nice. Don't get a cut of the profit? Well screw your security alerts.

    --
    ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
    1. Re:They're miffed by 93+Escort+Wagon · · Score: 4, Insightful

      People should've already been aware that Google isn't above playing politics with software vulnerabilities.

      We've also seen it go the other way - where Google held onto vulnerability announcements regarding its own software far longer than the 90 days (or whatever it specifically is) Project Zero generally says is how long they're willing to wait.

      --
      #DeleteChrome
    2. Re:They're miffed by magarity · · Score: 5, Insightful

      There's 2 sides to this:
      1. Google wants to get a cut
      but
      2. Users really, really, really, don't need yet another gaping security hole AKA "installer" on their devices.

    3. Re:They're miffed by spire3661 · · Score: 2, Insightful

      Users really really need to get software from places other than google.

      --
      Good-bye
  2. So what's the full story by alvinrod · · Score: 2

    I'd at least like to hear Google's side of this first.

    Would hate to unpack the pitchfork for nothing and all that.

    1. Re:So what's the full story by thaylin · · Score: 5, Informative

      Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

      --
      When you cant win, ad hominem.
    2. Re:So what's the full story by SantiagoMcRib · · Score: 5, Insightful

      This is well stated. And for those that think that it's vindictive on Google's part, well... you're not wrong, but it's the consequence of releasing outside the ecosystem that would automatically deploy the update to the install base.

      I think a lot of people are failing to realize that the 30% cut isn't just to make Google money, but also to fund the infrastructure to host and deploy apps according to their own best practices.

    3. Re:So what's the full story by Albanach · · Score: 5, Insightful

      Let's think about what Epic were asking for. They'd prefer users not be notified of a critical vulnerability for three months and instead just wait to see how many upgrade naturally.

      Google on the other hand have a published policy that they will notify of security events after 90 days if un-patched or after a patch is widely available, exactly what happened here.

      While Google does have a strong financial incentive to stop other companies from operating outside the play store, they also have an incentive for Android not to be viewed as a less secure mobile operating system. It seems to me that, if you want to encourage security patches to be applied, you would want to let users know that their existing install has a critical vulnerability. Why Epic would prefer silence can be inferred, but it's not to the benefit of their customers.

    4. Re:So what's the full story by Xylantiel · · Score: 4, Insightful

      It doesn't help that if Epic's launcher had been distributed through the play store, I think having it update would be less of a problem. And this is one of the major security advantages of distributing through the play store. So you can view the entire decision of Epic to not distribute through the Google store as sacrificing user security for more money. I don't even want to know how many scam download sites there are. It is a lot harder to tell the difference on a phone than on a desktop. If this is any indication of how seriously Epic takes their customers' security, one better assume it's pretty much a field day of vulnerabilities.

      I happen to agree that the Google play store is kindof onerous, but what Epic has done is a worse solution from the user standpoint and failed in a completely predictable way in this case. There are other possible solutions, but the handset vendors are too used to having Google do a lot of things for them to push the issue, or too hostile to each other to work together. ...or maybe it actually all comes back to DRM such that an actual open and fair platform is untenable from the start.

  3. Hard to care about either party... by Austerity+Empowers · · Score: 2

    It's not clear what level of ownership Google should be expected to take on this. It seems to me that they technically did more than I'd feel obligated to in their shoes. Epic appears to have been responsible for the bug, Google appears to have found it for them. Honestly I think they already went the extra mile right there.

    Of course if Epic used the app store, then I'd expect a more appropriate arrangement of identification, fix and announcement.

    1. Re:Hard to care about either party... by barc0001 · · Score: 2

      If Epic used the app store, the vulnerability never would have existed. It's because they're sidestepping the security there that the problem came to be.

    2. Re:Hard to care about either party... by thaylin · · Score: 2

      That is in fact the nature of Epic's objection. Google did more than they were obligated to do, and the thing they did put users at risk, it did not protect them.

      I disagree. In order to install the app they had to disable several security mechanisms, and probably not turn them back on. They told epic about the flaw and waited for them to fix it, once it was fixed and released a patch it is best for all people to know they need to immediately patch, since there are no guarantees their loader auto patches.

      and that's where they should have stopped. If Epic were not addressing the bug, then full and immediate disclosure would have been warranted, but that was not the situation.

      incorrect. Google has an obligation to continue, unless you think flaws should not be disclosed unless they fail to fix them?

      Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?.

      Again they did not disclose it during the fix, they disclosed it after a patch had been released. They followed their own guidelines.

      --
      When you cant win, ad hominem.
    3. Re:Hard to care about either party... by Anonymous Coward · · Score: 2, Informative

      Nice bug you've got there. Shame if someone announced it unnecessarily while you were fixing it. Guess you should have paid the protection money, eh?

      The fix was already made available. As per Google's guidelines, they either announce the issue 90 days after reporting it, or a week after the fix is made broadly available. From the article, the fix was made available on Aug 17, and Google announced the flaw Aug 24 (a week after it was made available).

      Now, whether a week is enough time or not is another question... Epic wanted the full 90 days, Google said nope. How much time would be sufficient? Will everyone who downloaded it update, without knowing there's a major security flaw in their installed version? From the article, the installer is only updated when it or the game is run. So if a user downloads it and tries it once, then doesn't look at it again and also doesn't uninstall it, they are now vulnerable.

    4. Re:Hard to care about either party... by spire3661 · · Score: 2

      So you honestly think that getting software from only on place is the best possible future? Android NEEDS to get programs from places other than google. Why are you cheering this crap on. The faster we break people's complete dependance on Google Play, the better off we will all be.

      --
      Good-bye
    5. Re: Hard to care about either party... by thaylin · · Score: 5, Insightful

      AFTER it has been patched so uses can patch? That is not how it works dude. If they announced the bug BEFORE a patch was made available then sure, but after a patch is released it is more irresponsible to NOT release the details because people wont know they need to patch, but exploiters will know there was a patch and can seek it out.

      --
      When you cant win, ad hominem.
  4. It ceratinly makes sense. by nimbius · · Score: 4, Insightful

    Google has nothing to lose by delaying disclosure of an exploit that isnt even in its ecosystem...
    however...google has everything to lose if the idea of operating outside its walled garden catches on.

    --
    Good people go to bed earlier.
  5. Google is not to blame here. by thaylin · · Score: 5, Informative

    Google followed its own guidelines. Their guidelines are that they will release the details when the first of 2 things happens, either 90 days has expired OR a general availability patch has been released. The second happened, but Epic wanted google to violate its own guidelines for them.

    The problems is in bypassing the play store they did open themselves up some and now they want google to change, not them.

    --
    When you cant win, ad hominem.
    1. Re:Google is not to blame here. by thaylin · · Score: 2

      What abuse? The patch was released in a matter of a day or so..

      What happens if a hacker finds the vulnerability and targets the users who dont know they need to patch? Well Epic and Google would have put those people in jeopardy by holding it. This way people know they need to patch.

      --
      When you cant win, ad hominem.
    2. Re:Google is not to blame here. by Luthair · · Score: 2

      The guidelines are reasonable, once a patched version is available interested attackers can compare binaries and discover the vulnerability. All hiding the disclosure does is give these attackers more time to exploit the vulnerability by making it less likely users will know to upgrade.

  6. Lock vulnerable app, can update, can not run by perpenso · · Score: 2

    "We asked Google to hold the disclosure until the update was more widely installed," tweeted Tim Sweeney. "They refused, creating an unnecessary risk for Android users in order to score cheap PR points."

    Allowing the unpatched game to continue running also unnecessarily risks Android users. Doesn't google have the ability to delete an app in Android? If so perhaps they should have deleted the unpatched game versions?

    Looking forward maybe google should have the ability to lock out a vulnerable version of an app. Don't delete it, just prevent it from running, only allow it to be updated to a newer version.

  7. Re: Irresponsible Epic released vulnerable code. by tbuddy · · Score: 2

    They did the same thing they do with other bugs. Give them 90 days to fix it and disclose 7 days after it is patched, whichever comes first. It's hard to say they are being unfair or aggressive since it is the exact same time window they have for anything else. It's not google's responsibility to hold on to the release beyond 7 days because Epic asks them for more time to ensure everything is long since patched.

  8. Reverse Engineer by Luthair · · Score: 4, Insightful

    The moment a patch is released attackers have the opportunity to reverse engineer the patch to find the vulnerability regardless of whether there is a subsequent disclosure or not. By this vulnerability being widely circulated in the press its more likely users will upgrade or uninstall than hoping users launch fortnite in the next 90-days. I imagine the real issue Epic has here is that they do not want the bad press leading to users who downloaded Fortnite to try uninstalling.

  9. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  10. Re:childish of google by thaylin · · Score: 2

    Actually the policy says 7 days after a patch has been released, not if being misused, that is their policy.

    --
    When you cant win, ad hominem.
  11. Re: Irresponsible Epic released vulnerable code. by farble1670 · · Score: 2

    It's not Google's responsibility to announce the vulnerability, either. They choose to do so, nobody is forcing them.

    It's only their responsibility if you assume they have an interest in protecting the security of their users.

    Are you for bug disclosures or against them? There is / was a serious security issue w/ the Epic installer. Bug disclosures are a Good Thing. We are all better off for them. Attributing malice to the action doesn't change that fact.

    Unless you are looking for a reason to bash Google. If so, disregard the above.