Google Warns: Major Security Flaw in Fortnite Game

John Lister's picture

The makers of the hit video game "Fortnite" have called Google irresponsible for revealing a security flaw. The controversy follows Epic Games choosing not to use the Google Play store to distribute the game.

Although it's free to download and play, Fortnite has proved hugely lucrative thanks to in-game purchases. Although 'buying' character costumes and animations doesn't affect gameplay, gamers - many of them children - have now spent more than a billion dollars.

With so much money at stake, it appears Epic Games didn't want to go through Google Play for the Android version. Had it done so, it would have had to pay Google a 30 percent cut of the revenues.

Normally app developers are content to do so because of the extra exposure and convenience the Google Play store brings, but Epic likely concluded the game was popular enough already that its users would be prepared to put up with a little inconvenience.

Installation Brought Security Risk

Instead of using the Google Play store, players must directly download an installation package on their device and then change security settings to be able to install it. Doing so increases the risk of malware that may not have been picked up by the Google Play verification process.

With that said, Google's security staff recently spotted a major flaw in the installation package. In simple terms it meant another (rogue) app could hijack the download and instead put malware on the device.

Google informed Epic, who replied two days later to say they had fixed the problem and prepared a patch. Epic asked that Google follow its usual policy of waiting 90 days before disclosing the issue.

Google Says 90-Day Secrecy Not Appropriate

However, Google said this didn't apply in this case as the 90 days was the maximum it will wait if a company hasn't fixed a bug. It explained that once a patch is available, its policy is to disclose seven days later. (Source: bbc.co.uk)

Epic has called this irresponsible, stating that the patch hadn't been installed by all users before Google went public, leaving them exposed to hackers who were tipped off by the disclosure. (Source: mashable.com)

What's Your Opinion?

Are Google's policies on bug disclosure reasonable? Do you think having missed out on the huge revenue cut affected its decision? Should Epic have put the game in the Google Play store in the first place?

Rate this article: 
Average: 4.9 (7 votes)

Comments

jamies's picture

As a 'user' I consider that having a policy that could leave my systems - ID phone and banking use etc. open to exploits for 90 days is irresponsible as it shows more concern for their revenue through sales than for the users of the OS they are selling to phone and other providers.

My view is that any app supplier should be concerned that the software they are releasing should be safe to install and use.
That implying that any known flaws will be fixed within 7 days at the outside, and they should stop any flawed software being sent to users immediately a flaw is reported, and only resume distribution when the software is made safe to use.

So - Google - security rating 7/90
Epic Games - considering their apparent attitude - current rating "not with your bargepole" especially as this, as reported, does not seem to be effecting the current user base, but to be a "Install process" glitch - so, apparently under the entire control of Epic Games, and not requiring any change to the software already installed by their users.

For me, their attitude indicates that they would not be concerned if there are security holes in the installed software.

So, the follow up would be:
Is it safe to have any Epic Games software running on your system?
And as the app presumably uses debit or credit card facilities, and probably records the numbers and authorisation codes used to pay for the 'extras' they persuade children to have their parents get for them
Is it safe to continue to use any system on which the Epic Games Software installer has run?

pctyson's picture

It just seems to me that what Google did was self serving. It smells of being a "strong arm" attempt to coerce them into using the Google Play Store to distribute the game & extras. I do not play the game (or any games) but I can not stand it when a very large company uses slimy tactics to try and get an "I told you that you should have used us" out of another company. Very self serving indeed!!! By the way, why were they happening to look for security flaws in a game installer that they don't even have on their Google Play Store site? This seems just plain scummy to me. Maybe Google needs to really concentrate harder on finding the security flaws in their own products instead of trying to strong arm other companies.