The phenomenon that is Nintendo’s Pokémon registered another massive (and arguably its biggest) hit with the release of Pokémon Go, a mobile app game so successful that it helped rocket Nintendo’s shares through the roof. With popularity comes scrutiny and one security researcher has pointed to a significant security risk concerning the iOS and Android versions of the app.
Pokémon Go users, pay attention. Internet security expert Adam Reeve has found a problem with the game, one that makes your entire Google account vulnerable if you’re playing the game.
To play the game, users are first required to set up an account. For whatever the reason, the developer of the game, Niantic, did not set up the means to allow users to create an account. Instead, users had to choose between two existing services for a pre-existing account, between the Pokémon website or a Google account. Most new users are unlikely to have a Pokémon account so are likely to opt in with their Google account.
“Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”, Reeve explained in his Tumblr blog.
However, no such messages were shown. Reeve went ahead to check which permissions it was granted and his discovery left him “stunned”. The permission read:
Pokemon Go has full access to your Google account.
Granting “full account access” gives an application the means to see and modify “nearly all information” in a user’s Google account, according to Google itself. Understandably, Google reminds users to grant the privilege to applications that can be fully trusted.
As Reeve explains, the permission grants Pokémon Go the means to read and even send your Gmail email, on behalf of you. Full Google account access also extends to controlling (and deleting) your Google drive content, access your photos on Google Photos, look up your search history, discover your Home and Office locations on Google Maps and more.
“What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too,” Reeve added.
For their part, Niantic insists that it never intended to get total control of users’ Google accounts, with the app only gaining basic information from user’s profile. The developer is working on a patch to fix the permissions sought by the app.
Android users can edit and remove the app’s “full access” to their Google account by visiting their permissions page. For iOS users, the lack of an option to edit the permission means that the only recourse left is to revoke access entirely.
Featured image from Shutterstock.