Security Weekly 55: Fortnite-Android Drama
That adroit moment when you wrote a prophetic digest. In the last issue, it was about the security risks in Android, in particular about vulnerabilities such as Man-in-the-disk, as well as about unsportsmanlike (for the sake of money) behavior of the company Epic Games, which refused to host the game Fortnite in the store Google Play. On August 25, solitaire came together: Google with its store, Epic Games with its beta version of Fortnite and even the man-in-the-disk vulnerability entered into an intimate relationship, giving rise to a medium-sized scandal.
Initially, it was about the fact that technically unprotected players in Fortnite, not finding an Android version in the official store of the Google Play Store, will go look for it somewhere else and install something on the smartphone. If now go to the app from the smartphone and look for Fortnite there, Google will even show you a special message, like in the picture above, so you do not put clone applications from the store. But, as it turned out, the Fortnite installer itself is vulnerable – in the script it’s not that very terrible, but still.
The vulnerability was discovered on August 15 by Google, technical details are published in their bug tracker. The problem is identical to the one that Check Point has dug out (and about which is described in Digest 31 in more detail). With regard to Fortnite, it turns out this way: the user downloads an installer from the site, the only task of which is to find and install the game itself.
The installer loads and saves the game file to external memory. Any application that also has access to external memory can replace this file. The installer will then start installing the game, not suspecting that it is already starting something wrong: the authenticity of the downloaded file is not checked. Moreover, it can be done so that forged Fortnite automatically, without notifying the user, will have access to private data. If the application uses a specific version of the SDK, the phone will not even ask for permission from the user (which is still approved by default in most cases).
The problem is solved simply: you need to save the installer to internal memory, where only the application that created them has access to the files. What, actually, did the company Epic Games, within two days of eliminating the vulnerability. Google researchers notified the developer on August 15, the 17th problem was solved. Seven days later, on the 24th (Friday night), in full compliance with the disclosure rules for vulnerabilities followed by Google, the information was shared.
The essence of the scandal is simple: on the side of Google, there was a conflict of interests. The company takes 30% of any sales in applications laid out on Google Play. Epic Games does not plan to lay out Fortnite in the official store, so as not to pay this fee. Game and so popular – additional promotion, provided by the site Google, it is not required. Of course, the game developer explained this decision is not a monetary issue, but a “desire to develop alternative distribution channels” or something similar. Although on the Epic Games site, the Android version of the game is presented as a beta version, in the application store Samsung it is available simply and advertised at once by two advertising banners, so for sure.
In correspondence with Google, representatives of Epic Games report on the solution of the problem, but ask not to publish information about the vulnerability before the expiration of the standard for standards of responsible disclosure of information ninety days. Google refuses: if there is a fix and it is available to the broad masses of the people, then there is no point in hiding. In response, the general director of Epic Games in a commentary to the edition of Mashable accuses Google of irresponsibility.
Who is right? Google’s own rules for working with dangerous information about the vulnerabilities are not violated. The comments in the bug tracker rightly say that if the application were distributed through Google Play, there would be no problem – you would not have to fence a garden with an “installer installer”. On the other hand, Google had to be aware of the conflict situation, and who is hosting the problems for other companies by publishing information on Friday at seven in the evening? Is vulnerability itself so dangerous? This is because it turns out that the user should already have on the smartphone an application that has bad intentions – through the holey code Fortnite steal personal data.
Experience suggests that there are no insignificant trifles in infobase safety. In any other situation, this would be a normal exchange of information: we found a problem, you eliminated it, everything is fine. Here, the discussion about routine vulnerability was immediately politicized. This story is rather a lack of trust. The next time someone finds a vulnerability in the software, the producer will be denied, and he will intentionally pull with the answers, request additional information, not admit that the hole has long been closed. In such a “healthy”, “friendly” atmosphere the likelihood of shooting at the feet will only increase.
What else happened?
Kaspersky Lab researched a new campaign by the Lazarus group (which allegedly attacked Sony Pictures in 2014), and there is some kind of tough thriller: the Mac OS X system is targeted for the first time, a compound trojan delivered from a counterfeit fake exchange site for purchase and sale fake cryptocurrency. Briefly in detail in English here.
In OpenSSH, a minor vulnerability (unintentional leakage of usernames) that was present in the code of 19 years, with the release of the very first version of the software package was closed. In the company Qualys argue that the closure occurred unintentionally – the problem was detected not before the code update, but after.
Google has been sued for tracking user coordinates when they do not want it, following the recent investigation by the Associated Press. It turned out that disabling the location determination disconnects it not completely.