Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Pokémon Go for iOS will stop requiring full Google account access

Glenn Fleishman | July 13, 2016
Pokémon Masters, beware: The iPhone app gains access to your Google account, but you can revoke the access now, and a better fix is coming.

The risk from attack comes from how the Google account linkage works. With a locally managed account system, like the Trainer Club, an account database contains a mix of unencrypted entries for elements like a user’s account name and email address, and encrypted entries for passwords. With good cryptographic system design, even should an attacker obtain an entire database, the passwords can’t be extracted, even with enormous effort. (Weak systems allow brute-force attacks.)

However, apps and sites that use accounts for authentication run by other sites—like Google, Twitter, and Facebook—don’t store a password, encrypted or otherwise, for that third-party site. Rather, after a user logs into the third-party site and the account is verified, a developer receives a token, just a short piece of unique text, that’s stored and used to handle interaction.

An attacker need only obtain that token to make use of the linked account, whether posting messages on Twitter or reading email on Google.

As Reeve notes, access to email alone can be the thin edge of a wedge to hijack someone’s identity and accounts at multiple sites. Many people use Gmail as their primary or secondary email address, and so other sites would send password-recovery emails to that Gmail account. An attacker with email addresses and tokens could try to reset passwords at popular sites at which it’s likely Pokémon Go users had accounts, and then take over those related accounts.

A spokesperson for Niantic, the game’s developer, said the company has no comment on the matter at this time. We’ve also contacted Google and will update this story when new information arises. (Niantic was once owned by Google, and was spun off as a freestanding company in October 2015 with investment from Google, the Pokémon Company, and Nintendo, which owns a third of the Pokémon Company.

Niantic’s complete statement:

“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.For more information, please review Niantic’s Privacy Policy here: https://www.nianticlabs.com/privacy/pokemongo/en

Update: This story was updated with a response from Niantic and with instructions to revoke Google account access.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.