August 27, 2018 at 14:18Security Week 32: Fortnite-Android Drama
That clever moment when you wrote a prophetic digest. The last issue was about security risks in Android, in particular about vulnerabilities such as Man-in-the-disk, as well as the unsportsmanlike (all for the sake of money) behavior of Epic Games, which refused to host the Fortnite game on the Google Play store. On August 25, solitaire came together: Google with its store, Epic Games with its beta version of Fortnite, and even man-in-the-disk vulnerability entered into an intimate relationship, giving rise to a medium-sized scandal.
Initially, it was said that technically unsent players in Fortnite, not finding the Android version in the official Google Play Store, will go look for it somewhere else and install something wrong on the smartphone. If you now go to the appstore from your smartphone and look for Fortnite there, Google will even show you a special message, as in the picture above, so that you do not install clone applications from the store. But, as it turned out, the Fortnite installer itself is vulnerable - not just completely horrible in the scenario, but still.
The vulnerability was discovered on August 15 by Google, the technical details were published in their bugtracker . The problem is identical to the one that Check Point (which was discussed in more detail in digest number 31 ). As applied to Fortnite, it turns out this way: the user downloads the installer from the site, whose only task is to find and install the game itself.
The installer downloads and saves the game file to external memory. Any application that also has access to external memory can overwrite this file. The installer will then begin the installation of the game, not suspecting that it is already starting something wrong: the authenticity of the downloaded file is not verified. Moreover, you can make the fake Fortnite automatically, without notifying the user, gain access to private data. When the application uses a specific version of the SDK, the phone will not even ask the user for permission (which is still approved by default in most cases).
The problem is solved simply: you need to save the installer to internal memory, where only the application that created them has access to the files. Which, in fact, was what Epic Games did, eliminating the vulnerability within two days. Google researchers notified the developer on August 15, the 17th issue was resolved. Seven days later, on the 24th (Friday evening), in full accordance with the rules for disclosing information about vulnerabilities that Google follows, the information was shared.
The essence of the scandal is simple: a conflict of interest has occurred on the Google side. The company takes 30% of any sales in applications posted on Google Play. Epic Games does not plan to put Fortnite in the official store, so as not to pay this fee. The game is already popular - the additional promotion provided by the Google platform itself is not required. Of course, the game developer explained this decision not by a monetary issue, but by “a desire to develop alternative distribution channels” or something like that. Although the Android version of the game is presented as a beta version on the Epic Games website, in the Samsung application store it is available just like that and advertised by two advertising banners at once, for sure.
In correspondence with Google, representatives of Epic Games report on a solution to the problem, but ask not to publish information about the vulnerability until the expiration of the standard for standards for responsible disclosure of information for ninety days. Google refuses: if there is a fix and it is accessible to the masses, then there is no point in hiding it. In response, Epic Games CEO, in a commentary on Mashable, accuses Google of being irresponsible.
Who is right? Google has not violated its rules for dealing with dangerous vulnerability information. The comments in the bugtracker rightly say that if the application was distributed via Google Play, there would be no problem - you would not have to fence a garden with an “installer installer”. On the other hand, Google should have been aware of the conflict situation, and who is causing problems for other companies by publishing information on Friday at seven in the evening? Is the vulnerability so dangerous? After all, it turns out that the user should already have an application on the smartphone that has bad intentions - to steal personal data through the holey Fortnite code.
Experience suggests that there are no insignificant trifles in information security. In any other situation, this would be a normal exchange of information: we found a problem, you fixed it, everything is fine. Here, the discussion around routine vulnerability was immediately politicized. This story is more about lack of trust. Next time, someone will find a vulnerability in the software, report it to the manufacturer, and he will deliberately drag out answers, request additional information, and not admit that the hole has long been closed. In such a “healthy”, “friendly” atmosphere, the likelihood of firing on the legs will only increase.
What else happened?
Kaspersky Lab investigated the new Lazarus campaign (which allegedly attacked Sony Pictures in 2014), and there’s some kind of difficult action movie: it targets Mac OS X for the first time, uses a sophisticated trojan delivered from a fake fake exchange website for salefake cryptocurrencies. Briefly written in Russian here , in detail in English here .
OpenSSH closed the not-so-serious vulnerability (unintentional leak of user names) that has been present in the code for 19 years since the release of the very first version of the software package. The company Qualys argue that closinghappened unintentionally - the problem was discovered not before updating the code, but after.
Google has sued for tracking users when they don’t want to, following a recent investigation by the Associated Press. It turned out that disabling positioning does not completely disable it.
Disclaimer: Everything is very complicated, and it doesn't get any easier. Be careful and careful.
Initially, it was said that technically unsent players in Fortnite, not finding the Android version in the official Google Play Store, will go look for it somewhere else and install something wrong on the smartphone. If you now go to the appstore from your smartphone and look for Fortnite there, Google will even show you a special message, as in the picture above, so that you do not install clone applications from the store. But, as it turned out, the Fortnite installer itself is vulnerable - not just completely horrible in the scenario, but still.
The vulnerability was discovered on August 15 by Google, the technical details were published in their bugtracker . The problem is identical to the one that Check Point (which was discussed in more detail in digest number 31 ). As applied to Fortnite, it turns out this way: the user downloads the installer from the site, whose only task is to find and install the game itself.
The installer downloads and saves the game file to external memory. Any application that also has access to external memory can overwrite this file. The installer will then begin the installation of the game, not suspecting that it is already starting something wrong: the authenticity of the downloaded file is not verified. Moreover, you can make the fake Fortnite automatically, without notifying the user, gain access to private data. When the application uses a specific version of the SDK, the phone will not even ask the user for permission (which is still approved by default in most cases).
The problem is solved simply: you need to save the installer to internal memory, where only the application that created them has access to the files. Which, in fact, was what Epic Games did, eliminating the vulnerability within two days. Google researchers notified the developer on August 15, the 17th issue was resolved. Seven days later, on the 24th (Friday evening), in full accordance with the rules for disclosing information about vulnerabilities that Google follows, the information was shared.
The essence of the scandal is simple: a conflict of interest has occurred on the Google side. The company takes 30% of any sales in applications posted on Google Play. Epic Games does not plan to put Fortnite in the official store, so as not to pay this fee. The game is already popular - the additional promotion provided by the Google platform itself is not required. Of course, the game developer explained this decision not by a monetary issue, but by “a desire to develop alternative distribution channels” or something like that. Although the Android version of the game is presented as a beta version on the Epic Games website, in the Samsung application store it is available just like that and advertised by two advertising banners at once, for sure.
In correspondence with Google, representatives of Epic Games report on a solution to the problem, but ask not to publish information about the vulnerability until the expiration of the standard for standards for responsible disclosure of information for ninety days. Google refuses: if there is a fix and it is accessible to the masses, then there is no point in hiding it. In response, Epic Games CEO, in a commentary on Mashable, accuses Google of being irresponsible.
Who is right? Google has not violated its rules for dealing with dangerous vulnerability information. The comments in the bugtracker rightly say that if the application was distributed via Google Play, there would be no problem - you would not have to fence a garden with an “installer installer”. On the other hand, Google should have been aware of the conflict situation, and who is causing problems for other companies by publishing information on Friday at seven in the evening? Is the vulnerability so dangerous? After all, it turns out that the user should already have an application on the smartphone that has bad intentions - to steal personal data through the holey Fortnite code.
Experience suggests that there are no insignificant trifles in information security. In any other situation, this would be a normal exchange of information: we found a problem, you fixed it, everything is fine. Here, the discussion around routine vulnerability was immediately politicized. This story is more about lack of trust. Next time, someone will find a vulnerability in the software, report it to the manufacturer, and he will deliberately drag out answers, request additional information, and not admit that the hole has long been closed. In such a “healthy”, “friendly” atmosphere, the likelihood of firing on the legs will only increase.
What else happened?
Kaspersky Lab investigated the new Lazarus campaign (which allegedly attacked Sony Pictures in 2014), and there’s some kind of difficult action movie: it targets Mac OS X for the first time, uses a sophisticated trojan delivered from a fake fake exchange website for sale
OpenSSH closed the not-so-serious vulnerability (unintentional leak of user names) that has been present in the code for 19 years since the release of the very first version of the software package. The company Qualys argue that closinghappened unintentionally - the problem was discovered not before updating the code, but after.
Google has sued for tracking users when they don’t want to, following a recent investigation by the Associated Press. It turned out that disabling positioning does not completely disable it.
Disclaimer: Everything is very complicated, and it doesn't get any easier. Be careful and careful.