Is Pokemon GO putting your Google account at risk?
If you haven’t heard about Pokemon GO by now, you’ve probably been living under a rock. The latest game from Nintendo/Niantic is such a huge success that after its release, Nintendo’s stock increased by 25%, technically increasing the perceived value of the company by 7 billion dollars. In other words one could claim that a fifth of the company’s value today depends on the success of Pokemon Go.
I’ve tried the game on a friend’s phone, from what I can tell this is pretty much like Niantic’s Ingress, except using a much, much more popular franchise that everyone loves, so there’s no question it will be a massive hit. It was fun seeing that a place very close to my office is one of those PokeStops, and having my colleague leverage that to get free stuff. Honestly it’s a brilliant use of AR.
It’s not all great though. A big security issue was raised earlier today by Adam Reeve, a Principal Engineer at security firm RedOwl. Adam Says that when you sign into Pokemon Go on iOS with a Google Account (which the majority of people will be doing since the alternative is to use a pokemon.com account), the application is requesting full access to your account, specifically:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
This is what google says about full access:
When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).
Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
Ironically enough, the issue seems to only affect iOS users, not Android. Adam Reeve also indicates that for some unknown reason, not all accounts are impacted by the problem.
Given how many users have jumped on the app since its release, this could become a massive problem. The problem is less with how Nintendo/Niantic would use this powerful access, rather than how a third party could compromise the app somehow and get access to all of your data.
Adam Reeve’s statement is bold: Pokemon Go is a huge security risk.
Mainstream news media have tried to contact Niantic who haven’t replied yet about this issue.
Did you try Pokemon Go? Are you concerned about this security risk?
source: Adam Reeve on tumblr