Fortnite Gaming App Vulnerable to MitD Attacks

Security researchers from Google have revealed that the most popular Fortnite gaming app is vulnerable to so-called man-in-the-disk attacks.

The app’s so vulnerable that it allows many low-privileged malicious apps to already installed on a user’s phone. Then the malicious apps hijack the Fortnite gaming app’s installation process install different malicious apps that have a higher permissions level.

Epic Games, the Fortnite game developer, has released version 2.1.0 that patches this attack vector

Fortnite gaming app vulnerable to MitD

The concept of man-in-the-disk attacks has been recently detailed in more depth by security researchers from Israel-based cyber-security firm Check Point.

In simple words, MitD attacks are the attacks that stores data outside the Internal Storage space on External Storage mediums.

An attacker can watch a specific app’s External Storage space and tamper with the data stored in this storage space because this space is shared by all apps.

The Fortnite gaming app is vulnerable to this attack because the app does not contain the actual game, but is merely an installer. Once users install the app, this installer uses the device’s External Storage space to download and install the actual game.

“Any app with the WRITE_EXTERNAL_STORAGE permission can substitute the APK immediately after the download is completed and the fingerprint is verified. This is easily done using a FileObserver. The Fortnite Installer will proceed to install the substituted (fake) APK,” a Google researcher wrote in a bug report recently made public.

“If the fake APK has a targetSdkVersion of 22 or lower, it will be granted all permissions it requests at install-time. This vulnerability allows an app on the device to hijack the Fortnite Installer to instead install a fake APK with any permissions that would normally require user disclosure,” the researcher added.

fortnite gaming app permissions
Fortnite Permissions
Epic Games dissatisfied with Google researchers

But the bug disclosure process came with a side dish of controversy. Epic Games CEO Tim Sweeney accused Google of pulling a PR stunt.

“We asked Google to hold the disclosure until the update was more widely installed. They refused, creating an unnecessary risk for Android users in order to score cheap PR points,” Sweeney said on Twitter, referring to one of his engineers’ request to Google to hold off from publishing for 90 days so Fortnite users could update their apps.

Google refused Epic Games’ request and made the bug report public this week, a week after Epic Games released its patch, making many people believe this was payback after Epic Games pulled the Android app from the Play Store in order for the game developer to keep 100% of the games’ profits.

The move was criticized by many security experts, who warned about possible security flaws that might go under the radar because the app wasn’t scanned by Google’s Bouncer service before reaching users’ devices.

Google says most users have updated

But while a reason was not left in the original bug report, in a subsequent tweet, Sweeney revealed that Google engineers provided an explanation for their decision in private.

“Google did privately communicate something to the effect that they’re monitoring Fortnite installations on all Android devices(!) and felt that there weren’t many unpatched installs remaining,” Sweeney said.

This week, Epic Games was also in the headlines for another security-related issue, but for a good reason. In a clever PR move, Epic Games decided to provide all players who turned on two-factor authentication (2FA) for their accounts with a “free dance” (in-game perk).

Credit: BleepingComputer

Leave a Reply

Your email address will not be published. Required fields are marked *