Prevent WebRTC leak.
Updated The CEO of Epic Games, maker of smash-hit shoot-em-up Fortnite, continues to savage Google for disclosing a security hole in his software.
Calling the ad giant “irresponsible” for publicly disclosing the vulnerability on Friday, Tim Sweeney posted a string of angry tweets over the weekend and into Monday accusing the search king of hypocrisy – and implied that the release was payback for Epic deciding to offer its game to Android users outside of Google’s official Play app store.
The issue tracker webpage for the bug reveals that Google ran a security check against Epic’s Fortnite installer as soon as it was made publicly available on August 15. The uncovered flaw could be exploited by another malicious app on a phone to hijack the installation process of the game, and install spyware and other dodgy code in its place.
Google reported the issue to Epic which immediately started working on a patch that it put out one day later. Here’s where things get contentious. Two hours after informing Google it had published a fix, Epic’s security team asked Google to delay publication of the issue report for 90 days.
The 90-day delay is common practice and is the standard for bug disclosure under Google’s own guidelines. But Google’s guidelines also state: “After 90 days elapse or a patch has been made broadly available, the bug report – including any comments and attachments – will become visible to the public.”
Google’s security team turned down Epic’s 90-day request and published the information one week after the patch. It’s not clear when Google informed Epic it was going to publish the details; the issue tracker page refers to an email sent direct to Epic.
“As mentioned via email, now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google’s standard disclosure practices,” says a comment posted shortly before the exchanges was made public.
We have asked Google when it sent its email to Epic and what its explanation for turning down the 90-day delay request was and we will update this article if it gets back. But it is safe to assume from the response from Epic’s CEO that it was unexpected.
“Android is an open platform. We released software for it. When Google identified a security flaw, we worked around the clock (literally) to fix it and release an update,” Sweeney tweeted, adding: “The only irresponsible thing here is Google’s rapid public release of technical details.”
Faced with Google fanbois pointing out that the information was only published a week after the patch was made available, he then pointed out that the Fortnite installer “only updates when you run it or run the game.”
Which is the reason Epic asked for a 90-day delay: so the likelihood of users opening the app – and so fixing the security issue – was far, far higher over the course of three months rather than one week.
But he wasn’t finished yet. Another tweet implied that there was a more nefarious reason behind Google’s disclosure: “Wouldn’t it be safer to disclose the technical details of vulnerabilities based on adoption rate of updates rather than mere availability?” he hypothesized, adding: “Of course the PR about the existence of a vulnerability and importance of updating could go ahead without disclosing the technical details.”
In essence, he is suggesting that Google was driven to disclose a security hole in the Fortnite installer. Why? Because Fortnite decided that it would not put its app in the official Google Play app store. Sweeney was quite clear as to why: because he didn’t want to pay Google 30 per cent cut of the app’s revenue.
“The developer pays all the costs of developing the game, operating it, marketing it, acquiring users and everything else,” he explained earlier this month. “We’re trying to make our software available to users in as economically efficient a way as possible. That means distributing the software directly to them, taking payment through Mastercard, Visa, Paypal, and other options, and not having a store take 30 percent.”
He also noted that smartphone platforms “actually do very little” and even make money from selling ads for other apps using the keywords for the most popular apps.
It was a very public black eye for Google. Not only will the company lose millions of dollars in potential revenue but the ensuing publicity over the decision put a spotlight on Google’s price-gouging app store approach, one pioneered by Apple.
The counter-argument against Epic for its decision was that it could create a security risk because it would encourage users to download software from outside the (mostly safe) Play app store.
And so, when Google discovered that this security risk angle was actually real thanks to a hole in Epic’s installer, it had good commercial reasons to let people know about it.
Google of course claims that there was no such malice aforethought in its decision to release the details one week after the patch. It was simply following its policy and with a patch made available, it did what it has always done and made the information public.
Google, to its credit, has a long history of open disclosure as a default. Software manufacturers always have another reason why a security bug shouldn’t be disclosed but too often that approach can lead to holes being hidden for too long with potentially serious implications. Google sticks to its guns on disclosure, despite regularly criticism from companies that wish it had kept quiet.
So is this a case of Google seeking to embarrass Epic for refusing to go through its Play app store? Or is it Epic that is lashing out because of its own acute embarrassment?
We’d have to see the internal emails within Google and understand how far up the decision chain things went to ascertain that. But Epic’s Sweeney did make one further point about how he views it as Google being self-serving.
“This sort of policy would be disastrous if Google applied it to security flaws they discovered in their own software, given the Google/IHV/carrier bottlenecks in pushing Android OS updates,” he jabbed. Although, it would be fair to say that despite Fortnite’s huge popularity it is still a single app. And a game, rather than an operating system. ®
Updated to add
“User security is our top priority, and as part of our proactive monitoring for malware we identified a vulnerability in the Fortnite installer. We immediately notified Epic Games and they fixed the issue,” a Google spokesperson told The Reg in an emailed statement.
Antidetect browser mobile.