Google essentially got slapped in the face when Epic Games, the developer of the super popular Fortnite, decided not to make the game available through the Play Store, but via its own app.
Google warned Epic that doing so could potentially put Android users at greater security risk, but the game developer brushed it off, insisting on going it alone for several reasons — including not having to give Google a cut in-app revenue and "embracing open platforms."
Well, now the worst has happened. Despite having no obligation to do so, Google recently discovered an exploit within the Fortnite installer app that allowed malicious apps installed on one's Android phone to hijack the download process so that instead of downloading the game from Epic's server, it could download and install something entirely different, which could potentially leave the device open to attacks.
/https%3A%2F%2Fblueprint-api-production.s3.amazonaws.com%2Fuploads%2Fcard%2Fimage%2F834387%2Fd982b83c-395b-480b-834e-36d7f6caec66.jpg)
Here's a quick run-down of what happened:
Google first discovered the vulnerability inside of the Fortnite installer app on Aug. 15 and immediately notified Epic. Details for the exploit weren't public yet. Within 48 hours, Epic patched the Fortnite installer and deployed it to all Android users who installed the app.
Here's where things get a little ugly. Even though Epic quickly released a patch for the installer app, it asked Google not to disclose the details of the exploit until after 90 days. Not only would there be more time for users to update their installer apps, but hackers also wouldn't be able to take advantage of the bug.
However, Google's bug disclosure guidelines explicitly states the following:
"This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report - including any comments and attachments - will become visible to the public."
Despite Epic's request for Google to wait the full 90 days before disclosing the exploit, Google abided by its own guidelines and shared the details.
Related Article:
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.