Epic CEO Criticizes Google Over Fortnite Bug Disclosure

Epic Games CEO Tim McSweeney put out a statement slamming Google for its handling of the finding and disclosure of a potentially devastating bug found in the original version of the company's Fortnite Installer app. McSweeney said that Google had acted irresponsibly and put users at risk by failing to heed Epic Games' request to go around its usual disclosure policy and hold off on making the bug public for 90 days, allowing users time to patch their installers. He went on to allege that Google had done this as part of the company's "counter-PR efforts" against Epic Games and Fortnite, presumably because of the smash-hit game controversially skipping the Play Store in its distribution.

A Google security researcher was the one who found the bug and put it on the company's issue tracker. Epic Games was notified immediately, and in less than half a week, a patch was going out to everybody who had downloaded Fortnite. Google's bug and exploit disclosure policy kicked in from there, and that policy is fairly simple; once a bug is 90 days old or a patch is widely available, the company will make its disclosure and make the issue tracker page for the bug in question public. Soon after Epic Games put out the patch, Google made the bug public, despite Epic Games asking for Google to wait the full 90 days, and this is what McSweeney took issue with.

For those not in the know, the bug in question was due to a security hole in the permissions used by the installer app, combined with Epic Games not implementing a function to check the integrity of an APK file before having the installer program install it to a user's device. Essentially, any malicious app on a user's device, or any malicious drive-by script they happened to have picked up from a website or other source, could put any APK file they wanted in place of the official Fortnite APK, and the installer would use its privileges to install the app in question with full privileges intact. This behavior is mainly due to the fact that Fortnite's actual game APK targets a lower minimum version of Android than the launcher, being Android 5.0 Lollipop, and as such, cannot adequately obtain the full set of necessary permissions to run the game on its own. Exploits like this wouldn't happen in the Play Store due to its requirements for keeping the minimum target APIs for apps and games up to date, making this a rarity in the mobile gaming sphere.

You May Like These
More Like This:
Android Headlines We Are Hiring Apply Now