by Jason Snell
Pokémon Go gains full access to Google accounts
You can’t create an account for Pokémon Go because the servers are overwhelmed, so the easiest way to play is to log in with your Google account. The problem is, the app asks for complete access to all of your Google data, apparently bypassing even the standard Google permissions screen.
Pokemon Go and Niantic can now:
- Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.
And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.
Swift on Security:
Issue is not that Pokemon Go has access to your Google account, it's that Google never asks you to grant it access. Shouldn't be possible.
— SecuriTay (@SwiftOnSecurity) July 11, 2016
Pokemon Go isn't presenting fake Google login, it is Google's native OAuth interface loaded by your phone, but it's skipping confirm screen
— SecuriTay (@SwiftOnSecurity) July 11, 2016
Either Google goofed, or Niantic is doing browser automation to programmatically agree to Google's security warning. Major issue either way.
— SecuriTay (@SwiftOnSecurity) July 11, 2016
Not great. Go here if you want to revoke access to your account. iMore recommends setting up a burner account.