Gotta catch ’em all – permissions to everything you have online, that is
Smash hit mobile game Pokemon Go‘s catchphrase is “you gotta catch ’em all” – gotta catch all your Google email, files and photos, that is.
As spotted a couple of hours ago by IT architect Adam Reeve, the ultra-popular monster-catching vitamin-D-injecting game for fat losers is a security nightmare: it can gain extensive access to your Google account when you sign up.

You can avoid using Google by creating an account for the game via the Pokemon Trainer website – but that service has been overloaded by players so plenty of people are using their Google accounts to join instead.

According to stats out today, Pokemon Go was rolled out across the world last week and already has nearly the same number of daily Android users as Twitter.
When you opt to use your Google account as your Pokemon Go sign-in, the iOS and Android versions of the Nintendo-backed game can automatically gain “full access to your Google account,” meaning “the application can see and modify nearly all information in your Google Account.”
That, according to Reeve, means the game and its developer Niantic can:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And more
Niantic spun out of Google in 2015, built augmented-reality game Ingress, and then used that to create Pokemon Go – think of it as regular Pokemon with Google Maps. You run around outdoors – the real outdoors – looking for creatures to capture; the monsters are superimposed over your phone’s camera view to help you imagine catching them when you get near one. Your phone’s location is used to work out if you’re close to a generated pokemon.
And people are obsessed with it.
When you use your Google account to sign up, you should get a dialog box asking if you’re OK with granting the app permission to control your Google account.

But that doesn’t appear, we’re told.
Strangely, not everyone who uses their Google account to sign in hands over full control: if you think you’re affected, you should check the app permissions page for your Google account to see what you’ve granted Pokemon Go.

Issue is not that Pokemon Go has access to your Google account, it’s that Google never asks you to grant it access.
Shouldn’t be possible.
— SecuriTay (@SwiftOnSecurity) July 11, 2016

Pokemon Go isn’t presenting fake Google login, it is Google’s native OAuth interface loaded by your phone, but it’s skipping confirm screen
— SecuriTay (@SwiftOnSecurity) July 11, 2016

Either Google goofed, or Niantic is doing browser automation to programmatically agree to Google’s security warning. Major issue either way.
— SecuriTay (@SwiftOnSecurity) July 11, 2016
If you’re not happy with this level of intrusion, you can’t just uninstall the app: you must also log into your Google account and revoke access to Pokemon Go. We’ve asked Niantic for comment and hope to hear back from them soon.
Meanwhile, in San Francisco and Chicago, planned Pokemon Go gatherings has garnered the interest of thousands of players. ®
Sponsored: 2016 Cyberthreat defense report

Leave a Reply