Pokémon Go, the mobile augmented reality game that's taken the world by storm in the last few days, gives gamers the chance to catch Pikachu, Pidgey and other pokémon while they ramble around the real world.
What players might not realize is that it also gives the app "full access" to their Google account, which potentially means access to all your emails, photos, and documents on the cloud, and even send email as you.
As Google's official support document says, when an app has "full access," it can "see and modify nearly all information in your Google Account."
Adam Reeve, the principal architect at security firm RedOwl, was the first one to warn about the issue on Monday, alerting people of what he called a "huge security risk." When signing in with your Google Account on Pokémon Go for iOS, the game grants itself "full access" without alerting the user. If they followed standard procedure, the game's developers could have simply asked for permission to see the user ID, with no further access.
"I would recommend anyone affected to revoke permissions through Google and uninstall the app."
"It has the potential to be bad if it's misused," Reeve told Motherboard in an email. "It's certainly enough that I would recommend anyone affected to revoke permissions through Google and uninstall the app."
Dan Guido, the founder of security firm Trail of Bits, said that this "means they have a bunch of tokens stored on their servers somewhere that can read a few hundred million people's emails," which is "a little concerning since they can't even keep their servers online with all the load, so how much are they paying attention to security issues right now?"
Reeve wrote that the issue seems to be limited to iOS, and only to some users. But Guido, as well as two of my colleagues at Motherboard, confirmed that when they signed up with their iPhones the app got full access to their accounts.
If you're worried that you too just gave up control of your Google account without realizing it, you should click on this link. This page will show all the apps that have some kind of access to your Google account. If Pokémon Go has full access, you should see something like the screen below.
The game doesn't need this kind of access. On Android, despite the fact that the game requires permission to access a whole lot of stuff, it doesn't get full access to your Google account.
Niantic, the company that developed the game, said the app on iOS "erroneously requests full access permission for the user's Google account," during the account creation process.
"However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected," a Niantic spokesperson said in a statement. "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."
Google parent company Alphabet, which used to own Niantic until last year, did not immediately respond to a request for comment either.
"This is probably just the result of epic carelessness."
Ari Rubinstein, a security engineer at Slack, analyzed the app and found that the "full access" permission didn't appear to grant Pokémon Go with access to a user's Gmail account. However, Rubinstein also said "the tokens could potentially be used to get Google sessions."
It's unlikely that Niantic, and Nintendo, intentionally designed the game to get this kind of access.
"I obviously don't think Niantic are planning some global personal information heist," Reeve wrote in his port. "This is probably just the result of epic carelessness."
Still, careless or not, this is a huge mistake that puts dozens of millions of users at risk—for no reason.
This article has been updated to include Niantic's statement and the analysis by Ari Rubinstein.
Correction: a previous version of this article said Pokémon Go allows players to catch pokémon such as Mewtwo. Actually, Mewtwo is not available in the game. We regret the error.