Security Week 32: Fortnite Android Drama
That clever moment when you wrote a prophetic digest. The last issue dealt with security risks in Android, in particular, vulnerabilities like Man-in-the-disk, as well as unsporting (all for money) behavior of Epic Games, which refused to place Fortnite on Google Play. On 25 August, solitaire came together: Google with its store, Epic Games with its beta version of Fortnite, and even the man-in-the-disk-vulnerability entered into an intimate relationship, giving rise to an average-sized scandal.
Initially, it was about the fact that the technically uncomplicated players in Fortnite, not finding the Android version in the official Google Play Store, would go look for it somewhere else and install something wrong on the smartphone. If you now go to Appstore from your smartphone and search Fortnite there, Google will even show you a special message, like in the picture above, so that you don’t install clones from the app store. But, as it turned out, the Fortnite installer itself is vulnerable - according to the script, it’s not exactly horrible, but still.
The vulnerability was discovered on August 15 by Google, the technical details were published in their bugtracker . The problem is identical to the one that the Check Point company has dug (and about which more details are given in digest number 31 ). With regard to Fortnite, it turns out that the user downloads an installer from the site, whose only task is to find and install the game itself.
The installer loads and saves the file with the game in external memory. Any application that also has access to external memory can override this file. The installer will continue to install the game, unaware that it already starts something wrong: the authenticity of the downloaded file is not checked. Moreover, you can make the fake Fortnite automatically, without notifying the user, get access to private data. When an application uses a certain version of the SDK, the phone will not even ask the user's permission (which is still approved by default in most cases).
')
The problem is solved simply: it is necessary to save the installer to the internal memory, where only the application that created them has access to the files. What, in fact, did Epic Games, eliminating the vulnerability within two days. Google researchers notified the developer on August 15, the problem was resolved on the 17th. Seven days later, on the 24th (Friday night), in full compliance with the vulnerability disclosure rules followed by Google, the information was shared.
The essence of the scandal is simple: there was a conflict of interest on the side of Google. The company takes 30% of any sales in applications laid out on Google Play. Epic Games has no plans to upload Fortnite to the official store in order not to pay this fee. The game is already so popular - the additional promotion provided by the Google platform itself is not required. Of course, the game developer explained this decision not with a money issue, but with “the desire to develop alternative distribution channels” or something similar. Although the Epic Games website presents an Android version of the game as a beta version, in the Samsung app store it is available just like that and is advertised at once by two advertising banners, for sure.
In correspondence with Google, representatives of Epic Games report on solving the problem, but ask not to publish information about the vulnerability before the standard for responsible disclosure of information has expired for ninety days. Google refuses: if there is a fix and it is available to the masses, then there is no point in hiding. In response, Epic Games CEO comments Mashable edition accuses Google of irresponsibility.
Who is right? Google has not violated its own rules for dealing with dangerous vulnerability information. The comments in the bugtracker rightly say that if the application was distributed via Google Play, there would be no problem - you would not have to make a garden with an “installer installer”. On the other hand, Google should have been aware of the conflict situation, and who is comfortable with other companies, publishing information on Friday at seven in the evening? Is vulnerability itself so dangerous? After all, it turns out that the user should already have an application on a smartphone that has bad intentions - to steal personal data through the leaky Fortnite code.
Experience suggests that there are no insignificant details in information security. In any other situation, this would be a common exchange of information: we found the problem, you fixed it, everything is fine. Here, the discussion around routine vulnerability was immediately politicized. This story - it is rather about the lack of confidence. Next time, someone will find a vulnerability in the software, report to the manufacturer, and he will deliberately pull back with answers, request additional information, and not admit that the hole has long been closed. In such a "healthy", "friendly" atmosphere, the probability of shooting at the legs will only increase.
What else happened?
Kaspersky Lab explored the new Lazarus campaign (which allegedly attacked Sony Pictures in 2014), and there is some kind of tricky action movie: for the first time, Mac OS X is targeted, using a compound Trojan delivered from a fake fake exchange site for buying and sellingfake cryptocurrency. Briefly in Russian is written here , in detail in English here .
OpenSSH closed a not very serious vulnerability (unintentional leakage of user names), which was present in the code for 19 years, since the release of the very first version of the software package. Qualys claims that the closure happened unintentionally - the problem was discovered not before the code was updated, but after.
Google was sued for tracking the coordinates of users when they don’t want to, following the recent investigation by the Associated Press. It turned out that disabling location disables it not to the end.
Disclaimer: Everything is very difficult, and it does not become easier. Be attentive and careful.
Initially, it was about the fact that the technically uncomplicated players in Fortnite, not finding the Android version in the official Google Play Store, would go look for it somewhere else and install something wrong on the smartphone. If you now go to Appstore from your smartphone and search Fortnite there, Google will even show you a special message, like in the picture above, so that you don’t install clones from the app store. But, as it turned out, the Fortnite installer itself is vulnerable - according to the script, it’s not exactly horrible, but still.
The vulnerability was discovered on August 15 by Google, the technical details were published in their bugtracker . The problem is identical to the one that the Check Point company has dug (and about which more details are given in digest number 31 ). With regard to Fortnite, it turns out that the user downloads an installer from the site, whose only task is to find and install the game itself.
The installer loads and saves the file with the game in external memory. Any application that also has access to external memory can override this file. The installer will continue to install the game, unaware that it already starts something wrong: the authenticity of the downloaded file is not checked. Moreover, you can make the fake Fortnite automatically, without notifying the user, get access to private data. When an application uses a certain version of the SDK, the phone will not even ask the user's permission (which is still approved by default in most cases).
')
The problem is solved simply: it is necessary to save the installer to the internal memory, where only the application that created them has access to the files. What, in fact, did Epic Games, eliminating the vulnerability within two days. Google researchers notified the developer on August 15, the problem was resolved on the 17th. Seven days later, on the 24th (Friday night), in full compliance with the vulnerability disclosure rules followed by Google, the information was shared.
The essence of the scandal is simple: there was a conflict of interest on the side of Google. The company takes 30% of any sales in applications laid out on Google Play. Epic Games has no plans to upload Fortnite to the official store in order not to pay this fee. The game is already so popular - the additional promotion provided by the Google platform itself is not required. Of course, the game developer explained this decision not with a money issue, but with “the desire to develop alternative distribution channels” or something similar. Although the Epic Games website presents an Android version of the game as a beta version, in the Samsung app store it is available just like that and is advertised at once by two advertising banners, for sure.
In correspondence with Google, representatives of Epic Games report on solving the problem, but ask not to publish information about the vulnerability before the standard for responsible disclosure of information has expired for ninety days. Google refuses: if there is a fix and it is available to the masses, then there is no point in hiding. In response, Epic Games CEO comments Mashable edition accuses Google of irresponsibility.
Who is right? Google has not violated its own rules for dealing with dangerous vulnerability information. The comments in the bugtracker rightly say that if the application was distributed via Google Play, there would be no problem - you would not have to make a garden with an “installer installer”. On the other hand, Google should have been aware of the conflict situation, and who is comfortable with other companies, publishing information on Friday at seven in the evening? Is vulnerability itself so dangerous? After all, it turns out that the user should already have an application on a smartphone that has bad intentions - to steal personal data through the leaky Fortnite code.
Experience suggests that there are no insignificant details in information security. In any other situation, this would be a common exchange of information: we found the problem, you fixed it, everything is fine. Here, the discussion around routine vulnerability was immediately politicized. This story - it is rather about the lack of confidence. Next time, someone will find a vulnerability in the software, report to the manufacturer, and he will deliberately pull back with answers, request additional information, and not admit that the hole has long been closed. In such a "healthy", "friendly" atmosphere, the probability of shooting at the legs will only increase.
What else happened?
Kaspersky Lab explored the new Lazarus campaign (which allegedly attacked Sony Pictures in 2014), and there is some kind of tricky action movie: for the first time, Mac OS X is targeted, using a compound Trojan delivered from a fake fake exchange site for buying and selling
OpenSSH closed a not very serious vulnerability (unintentional leakage of user names), which was present in the code for 19 years, since the release of the very first version of the software package. Qualys claims that the closure happened unintentionally - the problem was discovered not before the code was updated, but after.
Google was sued for tracking the coordinates of users when they don’t want to, following the recent investigation by the Associated Press. It turned out that disabling location disables it not to the end.
Disclaimer: Everything is very difficult, and it does not become easier. Be attentive and careful.
Source: https://habr.com/ru/post/421403/
All Articles