Skip to content

Hackademicus

it's all about security stupid!
Main navigation
heitinck July 12, 2016 Uncategorized

Pokemon Go is a Risk

Pokemon Go creates Risk the risk of Pokemon Go gaining access
Pokemon Go creates Risk
the risk of Pokemon Go gaining access to your account

Pokemon Go

Pokemon Go is the latest in the long running series of games from Nintendo (although Go is actually made by a developer called Niantic). It’s also the first (I think) to run on your phone. Needless to say, it’s a huge hit. And it looks like a ton of fun – pretty much everyone I know is playing it.

But there seems to be a risk.

ACCOUNT

To play the game you need an account. Weirdly, the game developer won’t let you just create one – you need to sign in with an existing account from one of two services – the pokemon.com website or Google. Now the Pokemon site is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account – and that’s where the fun begins.

I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted . To say I was a little stunned is putting it lightly – it said:

Pokemon Go has full access to your Google account

Here are a couple of excerpts from the Google help page about what this means:

When you grant full account access, the application can see and modify nearly all information in your Google Account

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

RISK

he risk for this – Pokemon Go and Niantic can now:

  • Read all your email
  • Send email as you
  • Access all your Google drive documents (including deleting them)
  • Look at your search history and your Maps navigation history
  • Access any private photos you may store in Google Photos
  • And a maybe more

And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.

This is probably just the result of epic carelessness. But I don’t know anything about their security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all. I’ve revoked their access to my account, and deleted the app.
I really wish I could play, it looks like great fun, is it  worth the risk?

Posted in Uncategorized and tagged access google, email, pokemon, risk, security, signup. Bookmark the permalink.

Recent Posts

  • Security Affairs newsletter Round 412 by Pierluigi Paganini – International edition
  • Microsoft shares guidance for investigating attacks exploiting CVE-2023-23397
  • Vice Society claims attack on Puerto Rico Aqueduct and Sewer Authority
  • NCA infiltrates the cybercriminal underground with fake DDoS-for-hire sites
  • Pwn2Own Vancouver 2023 awarded $1,035,000 and a Tesla for 27 0-days

Recent Comments

    Archives

    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • May 2019
    • January 2019
    • January 2018
    • March 2017
    • July 2016
    • June 2015
    • May 2015
    • March 2015

    Categories

    • Blog
    • crypto
    • Uncategorized

    Meta

    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org

    RSS Security Threats

    • Student Loan Breach Exposes 2.5M Records August 31, 2022
    • Watering Hole Attacks Push ScanBox Keylogger August 30, 2022
    • Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms August 29, 2022
    • Ransomware Attacks are on the Rise August 26, 2022
    Proudly powered by WordPress | Theme: Hive Lite by Pixelgrade.
    • Home
    • About
    • Confirm Subscription
    • Cybersecurity is hot in 2022 during the crisis