Is Pokemon GO putting your Google account at risk?
If you haven’t heard about Pokemon GO by now, you’ve probably been living under a rock. The latest game from Nintendo/Niantic is such a huge success that after its release, Nintendo’s stock increased by 25%, technically increasing the perceived value of the company by 7 billion dollars. In other words one could claim that a fifth of the company’s value today depends on the success of Pokemon Go.
I’ve tried the game on a friend’s phone, from what I can tell this is pretty much like Niantic’s Ingress, except using a much, much more popular franchise that everyone loves, so there’s no question it will be a massive hit. It was fun seeing that a place very close to my office is one of those PokeStops, and having my colleague leverage that to get free stuff. Honestly it’s a brilliant use of AR.
It’s not all great though. A big security issue was raised earlier today by Adam Reeve, a Principal Engineer at security firm RedOwl. Adam Says that when you sign into Pokemon Go on iOS with a Google Account (which the majority of people will be doing since the alternative is to use a pokemon.com account), the application is requesting full access to your account, specifically:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
This is what google says about full access:
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
Ironically enough, the issue seems to only affect iOS users, not Android. Adam Reeve also indicates that for some unknown reason, not all accounts are impacted by the problem.
Given how many users have jumped on the app since its release, this could become a massive problem. The problem is less with how Nintendo/Niantic would use this powerful access, rather than how a third party could compromise the app somehow and get access to all of your data.
Adam Reeve’s statement is bold: Pokemon Go is a huge security risk.
Mainstream news media have tried to contact Niantic who haven’t replied yet about this issue.
Did you try Pokemon Go? Are you concerned about this security risk?
source: Adam Reeve on tumblr
huh, I mean it’s only a securrity risk if someone exploits the app somehow to do something with your info, or if niantic, in the games code actually tries to access it.
Yup, that’s enough to be pretty dangerous.
If you haven’t watched Mr. Robot yet, give it a try. You’ll never say something like this lol
If the app is storing the OAuth token on Niantic’s servers and Niantic is compromised the hacker will have a load of compromised GMail accounts to work from.
One very possible outcome is that can someone reverse engineer the app in such a way to access all your info and sent them to a third party server. It is not uncommon for examble a hacker to use a phony update for this app and then go to a public place, replace the WIfI signal of a public access point and trick the app to think there is an update for it, thus injecting malicious code to an app that you yourself gave full access to your private data. Of course the authors of this app will tell you “that this isn’t such a problem, if you change your password quickly”, but the hacker will already have what he wanted, personal info to build a file in order to have a better understanding of your password preferences.
I’m waiting until someone in buenes aires or detroit gets stabbed to death hunting for pokemon. Then we won’t have to blame drug cartels,. team rocket is to blame!
if you’re so concerned use a fake google account, piece of *** really
Yeah, I’ve always disliked the idea of giving not only my email address, but any associated information. My solution is to fragment my email. I use different emails for different purposes. Whenever possible I use a login through the service rather than a login through my email.
No I haven’t tried Pokémon Go. I think it’d make me look like an idiot, if everyone else I’ve seen playing it is anything to go by. Pokémon X & Y on the 3DS does just fine. Though if I were to try it, I have both an Android smartphone and a couple of Gmail accounts I use as a spam/burner sign ups catcher so I wouldn’t be worried, no credit cards or real personal details, all fake names etc.
Heard the CIA is traking people through that… Bad enough they spy on us through the NSA…
Heard the C I to the A is using it to know people’s locations. Bad enough they’re using the N S to the A to S P to the Y on us…
CIA. NSA. Spy. See? No need to space them out.
In android 6.0 the app asks for permission when it need it. so if the app wan’t to send an Email. It will pop up and ask to use the phones Email funktion. When/if that happens you can “not allow” it and the app wont be allowed to use it.
forget peoples account being at risk. apparently the players’ lives could be a risk. players been getting robbed, shot at and chased for witnessing murders.
But…pokemans….i needs them D:
Just a Thought here but the Vita has a GPS and a nice screen and some of us have the 3G model, and the Vita can run some mobile games… Is there anyway Pokemon Go could be ported? or would it be extremely difficult to make a Homebrew that would be almost similar? Porting new mobile games to the Vita would be like knocking on the coffin and saying “hey it’s not your time!” lol
This issue has been fixed with yesterday’s 1.0.1 update.
All that’s left is to find them… imgur(dot)com/KS8esUr
Rejoice, trading is possible in the near future once they’ve implemented it… imgur(dot)com/DihZljN
The highest among the primary item tiers are (imgur(dot)com/apNE3pU):
Master Ball, Max Potion, Max Revive
Variants of Incense:
Ordinary, Spicy, Cool, Floral
Variants of Berries:
Razz, Bluk, Nanab, Wepar, Pinap
Unknown Item:
Troy Disk
that is a really cool by there , you will see pokemon go works perfect with sky3ds plus
“game4deal”
just create a *** spare account just for pokemon GO just like pokemongocansuckme@gmail.com LOL
to avoid all the madness FAKE ACCOUNTS CONQUER!
We know this way to get the pokecoins online.