| Story Views | |
| Now: | |
| Last Hour: | |
| Last 24 Hours: | |
| Total: | |
Pokemon Go Creates Enormous Security Risk For You, Your Kids…
Follow TIS on Twitter: @Truth_is_Scary & Like TIS of Facebook- facebook.com/TruthisScary
Pokemon Go mania is taking the nation by storm. The IOS / Android app allows users to search and navigate their own communities looking to capture the Pokemon characters. Pokemon Go uses Google Maps as a way to create a fantasy grid reflective of the community you are in, as well, once you located a Pokemon character, it accesses your camera to place the character live in your real world.
Got all that?
Well, that may sound fun to many (or completely silly to someone like me), but in the end, it features what appears to be a nasty security issue for those who don’t understand what they are signing up for. Essentially, you can only sign up for Pokemon via your Google account (they offer to allow you to use their own website to create an account, but that’s not been up and working consistently). The issue? You grant FULL RIGHTS to the Pokemon app to do just about anything it wants with your Google account. And they don’t disclose that until it is too late. I found this post which perfectly describes the issue (plus I’ve went through the process myself to confirm).
Quick update – this seems to be inconsistent. It only seems to happen on iOS, but it doesn’t happen for everyone on iOS. If you fancy helping out join the conversation on Twitter!
I figured I’d post this because I don’t see anyone else talking about it and it bothers me. If you didn’t know, Pokemon Go is the latest in the long running series of games from Nintendo (although Go is actually made by a developer called Niantic). It’s also the first (I think) to run on your phone. Needless to say, it’s a huge hit. And it looks like a ton of fun – pretty much everyone I know is playing it.
But there’s a problem.
To play the game you need an account. Weirdly, Niantic won’t let you just create one – you need to sign in with an existing account from one of two services – the pokemon.com website or Google. Now the Pokemon site is for some reason not accepting new signups right now so if you’re not already registered there you’ll need to use a Google account – and that’s where the fun begins.
I started the game, hit the Google button, and was redirected to log in. Normally you’d see a little message saying what data the app is going to be able to access – something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case, but I went ahead and logged in anyway. Then on a whim I went to see which permissions it was granted (you can see for your own account right here). To say I was a little stunned is putting it lightly – it said:
Pokemon Go has full access to your Google account
Here are a couple of excerpts from the Google help page about what this means:
When you grant full account access, the application can see and modify nearly all information in your Google Account
This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.
Let me be clear – Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.
And they have no need to do this – when a developer sets up the “Sign in with Google” functionality they specify what level of access they want – best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.
Source: http://truthisscary.com/2016/07/pokemon-go-creates-enormous-security-risk-for-you-your-kids/
