The craze for "Pokémon Go" has taken the world by storm since its launch last Wednesday, adding more than $7 billion to Nintendo’s market value. And, just when the Japanese gaming firm was enjoying its dream run, a blog post by a principal architect at RedOwl Analytics, spoiled the party, labeling the new smartphone game “a huge security risk.”
Adam Reeve said on his blog post that "Pokémon Go" is granted “full account access” to users’ Google accounts when they log on with Google on iOS. According to Reeve, here’s what the app is capable of doing after gaining full account access:
Let me be clear - Pokemon Go and Niantic can now:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
“What’s more, given the use of email as an authentication mechanism (think ‘Forgot password’ links) they now have a pretty good chance of gaining access to your accounts on other sites too,” Reeve wrote.
However, Niantic, one of the producers of the game, quickly addressed the issue and released a statement saying that the "Pokémon Go" app does request for more permissions than it needs, but it has not accessed any user information. The company also confirmed that it was working on a fix.
Here’s the full statement:
“We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and e-mail address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google account information, in line with the data we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.”
Meanwhile, Reeve has also updated his blog post, acknowledging Niantic’s statement.
“So Niantic have come out with a statement,” Reeve wrote. “I’m really happy they’re addressing the problem promptly, my intention was only ever to get some attention after my initial attempts to contact the developers failed.”
Although "Pokémon Go" requests full account access on iOS, the Android version of the game doesn’t appear to have the same problem, Ars Technica reported.
"Pokémon Go" requires users to chase virtual Pokémon characters through real-life city streets on their smartphone screens. The game was downloaded onto more Android devices than dating app Tinder within a day of its launch, according to data firm SimilarWeb.