Fixed
Status Update
No update yet.
Comments
br...@epicgames.com
Hey Edward,
Thank you so much for the report! We'll take a look and forward this to our engineering team.
Thanks,
Epic InfoSec
Thank you so much for the report! We'll take a look and forward this to our engineering team.
Thanks,
Epic InfoSec
br...@epicgames.com
Hey Edward,
We were able to reproduce the bug you submitted and have a team working around the clock to fix it. We are currently testing a fix which resolves the issue on newer Android devices, and will provide updates as our development work continues. We will deploy this update as soon as it becomes available, and have a rough timeline of later this week, possibly as early as tomorrow. Thanks again for bringing this to our attention. We take the security of our users very seriously and will continue to prioritize any security issues.
Thanks,
Epic InfoSec
We were able to reproduce the bug you submitted and have a team working around the clock to fix it. We are currently testing a fix which resolves the issue on newer Android devices, and will provide updates as our development work continues. We will deploy this update as soon as it becomes available, and have a rough timeline of later this week, possibly as early as tomorrow. Thanks again for bringing this to our attention. We take the security of our users very seriously and will continue to prioritize any security issues.
Thanks,
Epic InfoSec
br...@epicgames.com
We are currently testing a fix that will resolve this issue on all supported versions of Android (Down to API 19). Once internal testing is complete, we will roll this out to users via our self-update mechanism. Barring any last minute bugs or deployment blockers, we hope to get this out by late tonight or sometime tomorrow. If there are any changes to this tentative timeline, we will let you know.
br...@epicgames.com
Hey Edward,
We just deployed the fix for this issue to production. This patch changes the default APK storage directory from external to internal storage, which should prevent MITD attacks during the install flow. The patched launcher is version 2.1.0, and all existing installs should upgrade in place. Let me know if you have any questions or concerns with our patch. If you find anything else, please let us know and we will fix it immediately.
Thanks,
Epic InfoSec
We just deployed the fix for this issue to production. This patch changes the default APK storage directory from external to internal storage, which should prevent MITD attacks during the install flow. The patched launcher is version 2.1.0, and all existing installs should upgrade in place. Let me know if you have any questions or concerns with our patch. If you find anything else, please let us know and we will fix it immediately.
Thanks,
Epic InfoSec
br...@epicgames.com
Hey Edward,
One extra request from the team. We would like to request the full 90 days before disclosing this issue so our users have time to patch their devices.
Please let me know if this is possible.
Thanks,
Epic InfoSec
One extra request from the team. We would like to request the full 90 days before disclosing this issue so our users have time to patch their devices.
Please let me know if this is possible.
Thanks,
Epic InfoSec
ej...@google.com
Thanks for the prompt fix.
As mentioned via email, now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices.
As mentioned via email, now the patched version of Fortnite Installer has been available for 7 days we will proceed to unrestrict this issue in line with Google's standard disclosure practices.
ma...@gmail.com
Is so good the application
dr...@gmail.com
Are there other apps in the App Store which are verified as safe, yet can download and run executable code outside of the App Store and its verification process? Even if the "Unknown Sources" checkbox is off?
I have seen numerous apps which download and execute more content, but I am now skeptical of their security. I only wish to run verified executable content.
I have seen numerous apps which download and execute more content, but I am now skeptical of their security. I only wish to run verified executable content.
dy...@gmail.com
Thanks
al...@piechowski.org
This issue seems like it could have been mitigated by simply using Google's play store, instead of enabling thousands of devices to be vulnerable.
There is a good reason for non-developers to leave the "Install Unknown Apps" flag off and pushing users that don't know the security implications of turning that flag on shouldn't be pushed to turn unknown source installations on.
There is a good reason for non-developers to leave the "Install Unknown Apps" flag off and pushing users that don't know the security implications of turning that flag on shouldn't be pushed to turn unknown source installations on.
al...@piechowski.org
Something I forgot to add, thank you Google for reporting this issue immediately. It allowed me to wipe my families devices that were potentially vulnerable immediately rather than giving a window of 3 months to leave potential breaches on their devices.
ja...@gmail.com
Is this digital karma?
ja...@gmail.com
Shame on Epic for being too gready and exposing their fand to security risks just for making more money.
9j...@gmail.com
F
ha...@gmail.com
Oh well, I don't know what just happened.
ty...@gmail.com
Lol!! Shame on epic you say. One might say shame on Google for not compling with epics request to wait to disclose the issue. Google did more damage by making it known before people had time to patch it. Maybe Google did it because they are a little snippety about missing out on the money they would have made lol.
zu...@gmail.com
In any way, google has done a great job. If they are snippety, they could have just told the media about that bug and I'm sure that would be a headline for quite some time. However, they still follow their bug disclosure guideline. It's such a shame for Epic to risks users' security because of their greediness. And this bug could have been avoided if Epic simply distributed Fortnite through Play Store.
cu...@gmail.com
No it wouldn't have been, because "there has never been any malware thru the store" said no connoisseur ever
pe...@gmail.com
I'm sensing the patch doesn't seem to be secure enough. You need to have the binary installer file not natively readable (e.g. as an APK) once the Fortnite Installer completes the download, and only by the time the user Clicks on "Update" button make it readable.
For additional security, instead of the "Update" button doing a post install, have it trigger a custom intent which only triggers the installation if the passed encrypted bundle arguments is correct and downloaded fingerprint is verified (even the fingerprint text needs to be validated on a web service to confirm if the value came from the server).
But I guess the devs are like, meh.
For additional security, instead of the "Update" button doing a post install, have it trigger a custom intent which only triggers the installation if the passed encrypted bundle arguments is correct and downloaded fingerprint is verified (even the fingerprint text needs to be validated on a web service to confirm if the value came from the server).
But I guess the devs are like, meh.
ge...@gmail.com
I don't see why they simply do not sign the package and only install signed APK's and/or do checksumming.
[Deleted User] <[Deleted User]>
Also epic is cheap not going through the play store but making it more difficult to get the game
ja...@gmail.com
Its good that Google stayed true to their bug disclosure guidelines. Epic is the one at fault by being cheap and not releasing on the playstore, then on top of that not doing a good security analysis on their apk. This wasnt a crazy hard bug to find either the patch just changes the directory in which the apk is installed. I dont know why anyone would find Google at fault for Epic's tight pockets on their Billion dollar game. Say Google waited 90 days like Epic wanted , what about people that might have already have their phone hacked because of this issue, the patch isnt going to get their personal information back or uninstall any malware, keyloggers, virus, or a multitude of other attacks that could have been implemented through this vulnerability. The only one thst would benefit from Google not releasing this information is Epic it doesnt matter if Epic patched this as hackers have prob already grabbed the original apk and are going to use malicously by posting fake fortnite android download mirrors/sites, all releasing the bug info later would do is delay anyone from finding out that Epic was the reason their android was hacked.
xk...@gmail.com
To be honest I won't download anything outside of the play store since my last phone was totally destroyed from malware. Thanks epic for being lame just put it on the damn store before someone tries to sue you...
dj...@gmail.com
The vulnerability has already been published/demonstrated by researchers. Just because Google has also acknowledged it, means nothing. Google Apps were also affected by this vulnerability (they've been fixed).
Description
dream2lte:/ $ ls -al /sdcard/Android/data/com.epicgames.portal/files/downloads/fn.4fe75bbc5a674f4f9b356b5c90567da5.Fortnite/
total 73360
drwxrwx--x 2 u0_a288 sdcard_rw 4096 2018-08-15 14:38 .
drwxrwx--x 3 u0_a288 sdcard_rw 4096 2018-08-15 14:38 ..
-rw-rw---- 1 u0_a288 sdcard_rw 75078149 2018-08-15 14:38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.apk
-rw-rw---- 1 u0_a288 sdcard_rw 31230 2018-08-15 14:38 x1xlDRyBix-YbeDRrU2a8XPbT5ggIQ.manifest
Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK.
On Samsung devices, the Fortnite Installer performs the APK install silently via a private Galaxy Apps API. This API checks that the APK being installed has the package name com.epicgames.fortnite. Consequently the fake APK with a matching package name can be silently installed.
If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure.
A proof-of-concept screen recording is attached.
Using a private internal storage directory rather than external storage would help avoid this vulnerability:
See also this recent blog from Check Point:
[NOTE: This bug is subject to a 90-day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report - including any comments and attachments - will become visible to the public.]