• Hi all. We have had reports of member's signatures being edited to include malicious content. You can rest assured this wasn't done by staff and we can find no indication that the forums themselves have been compromised.

    However, remember to keep your passwords secure. If you use similar logins on multiple sites, people and even bots may be able to access your account.

    We always recommend using unique passwords and enable two-factor authentication if possible. Make sure you are secure.
  • Be sure to join the discussion on our discord at: Discord.gg/serebii
  • If you're still waiting for the e-mail, be sure to check your junk/spam e-mail folders

Pokemon Go Security Flaw

S

SerenadeSP

My Loyal Feraligatr
Saw this trending on Facebook and felt that it should be shared here as well. Someone found a huge security oversight in the iOS version of Pokemon Go that gives Niantic full access to the Google Account if you logged in from an iOS device using said Google Account. This essentially means that they can use it as if they were you, and possibly access other (more important) information.

It seems that the security oversight is indeed an oversight, and as the blogger says, it's likely due to epic carelessness on Niantic's part as opposed to some evil plan. Still, if you use that Google Account regularly and/or use it for credit card transactions, emailing businesses/co-workers, etc., you should revoke the rights immediately.

I happened to be using an account made exclusively for my (free) internet hobbies, so I'm personally not too worried about it since it's not connected to anything important like the above. But until Niantic gives an official word and/or fixes this problem, iOS users should either use a dummy Google account, use a Pokemon Trainer Club account, or refrain from using the app.

I don't mean to cause mass hysteria or anything like that by posting this, but still want everyone to be aware. Pokemon Go is a really fun game and it's netting Niantic a huge amount of money after only its first week (which helps support the case that this oversight wasn't done deliberately or maliciously). However, it's important to proceed with caution until the problem is resolved.


Important Note: Deleting the app alone will not solve the problem. You must still go to your Google Account Security Page and remove access from Pokemon Go Release in order fix it.

Andriod users appear to be unaffected, but it's still a good idea to check anyway.

The original discovery on Friday can be found here, and an update post made earlier today (Monday) can be found here. Clear directions on how to remove access to the Google Account can be found here. The original posts are quoted below:

First Post said:
Pokemon Go is a huge security risk

Updates: This seems to only affect iOS users, but not all iOS users (for some unknown reason). I’ve posted responses to some FAQs in a new post here. Original post is below.

I figured I’d post this because I don’t see anyone else talking about it and it bothers me. If you didn’t know, Pokemon Go is the latest in the long running series of games from Nintendo (although Go is actually made by a developer called Niantic). It’s also the first (I think) to run on your phone. Needless to say, it’s a huge hit. And it looks like a ton of fun - pretty much everyone I know is playing it.

But there’s a problem.

To play the game you need an account. Weirdly, Niantic won’t let you just create one - you need to sign in with an existing account from one of two services - the pokemon.com website or Google. Now the Pokemon site is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account - and that’s where the fun begins.

I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access - something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted (you can see for your own account right here). To say I was a little stunned is putting it lightly - it said:

Pokemon Go has full access to your Google account

Here are a couple of excerpts from the Google help page about what this means:

When you grant full account access, the application can see and modify nearly all information in your Google Account

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

Let me be clear - Pokemon Go and Niantic can now:

Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.

And they have no need to do this - when a developer sets up the “Sign in with Google” functionality they specify what level of access they want - best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.

Now, I obviously don’t think Niantic are planning some global personal information heist. This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app. I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.
Click to expand...


Second Post said:
A Quick update on Pokemon Go

I’ve had a bunch of questions and comments about the Pokemon thing (see here if you’re unfamiliar). I figured I’d address the more common ones in a post.

Couldn’t you just create a new Google account and only use it for the game?

Absolutely, but people need to know to do that.

Niantic are part of Google anyway so it doesn’t matter!

Niantic were part of Google, they were spun off last year and are now a separate company. There’s no reason for them to have access to my data stored at Google anymore.

Doesn’t every app do this kind of thing anyway?

Not really. Many apps have been called out for privacy issues and collecting data without permission from their users. Typically this has been limited to data physically on your phone - such as contacts or location information. For one thing, this is more strictly controlled by Android and IOS these days; and for another, full access to a Google account is a lot more than just getting your contacts.

Also different is that I don’t believe Niantic are actually gathering all this personal data, the issue is that they could - and anyone with access to those keys also could.

How do I properly revoke this access?

First, check you’re affected. Go to this page and look for “Pokemon Go Release”. If you see it and want to block it, just click the name and you’ll see a Remove button. Just uninstalling the game will not have an effect.

Is this related to the unofficial APK that has been circulating?

No. So far this issue seems to only affect users on iOS, and an APK is specifically for Android only. Every case of this that I’ve seen has been using the official app as downloaded directly from the iTunes App Store. My personal device is not jailbroken and the app was not sideloaded.
Click to expand...

What full access means and how to revoke it (according to cnet.com) said:
According to Google's support page, full access lets the application "see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf)." That's not to say they are actively accessing said information, but the possibility is there for it to happen.

Not cool, guys.

How to revoke access

>You'll need to visit this page.
>Sign in to the same Google account you used for Pokemon Go.
>Click on "Pokemon Go Release" on the list (it should be near the top, where all Full Access apps are listed).
>Click Remove, then OK.

If you're still signed into the app on your iOS device, it appears you can continue using it without issue. At least that's been my experience, having revoked access nearly an hour ago at time of this writing and I'm still catching those pesky critters in my office.

However, the next time the app randomly signs you out (I can't be the only that's happening to), you'll need to log in and revoke access again. Not an ideal method.

One alternative is to sign up and use a Trainer Club account, but you'll have to start your game from scratch.

The issue only seems to be affecting iOS users. Android users who've used Google to log in to the app haven't granted full access, or any access, for that matter, to his or her Google account.
Click to expand...
 
JX Valentine

JX Valentine

Ever-Discordant
So I'm letting this through the mod queue because y'all have probably already heard of this by now, as the post baaaasically went viral. But it seems the issue either will be resolved or has already been resolved by Niantic. (Idk. Neither article has been updated since reporters have gotten official word from the big guys themselves, but it's clear Niantic is working swiftly.) This also seems to be an issue that affects iOS users only, as Android users have permissions set properly.
 
Last edited:
You must log in or register to reply here.
Top