Tuesday 30 May 2017

Pokémon Go maker to fix bug after fears game can read iPhone users' emails

Pokemon trading cards are arranged for a photograph at the Pokemon Center Mega Tokyo store in Tokyo, Japan. Photographer: Yuriko Nakao/Bloomberg via Getty Images
Pokemon trading cards are arranged for a photograph at the Pokemon Center Mega Tokyo store in Tokyo, Japan. Photographer: Yuriko Nakao/Bloomberg via Getty Images

Cara McGoogan

Pokémon Go makers Niantic Labs are working with Google to fix a bug that gave them "full account access" to iPhone players' Google accounts, after concerns erupted over gamers' privacy.

The maker of the augmented reality Pokémon game was criticised by security and privacy experts for requesting access to more information than it needed in the iOS version.

However, initial fears that the game could read players' emails and documents in Google Drive were dismissed after Google said that the "full account access" that Pokémon Go requires does not extend to accessing inboxes and other private information. Adam Reeve, an engineer at security company RedOwl, had previously called Pokémon Go a "huge privacy risk".

"Let me be clear - Pokemon Go and Niantic can now: Read all your email, send email as you, access all your Google drive documents (including deleting them), look at your search history and your Maps navigation history, access any private photos you may store in Google Photos and a whole lot more," he said.

Ash, Pikachu and Misty (background) in 4Kids Entertainment's animated adventure
Ash, Pikachu and Misty (background) in 4Kids Entertainment's animated adventure "Pokemon3," distributed by Warner Bros. Pictures. (Photo by Warner Bros. Pictures)

Niantic said the game is only able to see users' email addresses and Google ID, but the company nevertheless described the access request as "erroneous" and said it is working with Google to fix it. 

"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user's Google account," said a spokesman for Niantic.

The Google sign-on step is designed to save users time when they first download the game. But it appears Niantic used an old version of the shared sign-on that meant a specific permissions request was skipped on the iOS version, according to Ari Rubenstein, an engineer at Slack.

Google confirmed that Niantic, a Google startup that spun-off in 2015, hasn't accessed or collected any other information about its players, and is now working with the search giant to fix the permissions request.

"Google will soon reduce Pokémon Go's permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves," Niantic said

Since its launch last week, Pokémon Go has been the cause of other security and safety incidents. In the US four armed robbers used the game to lure nearly a dozen unsuspecting players to a remote car park to rob them, while Australian police warned users to make sure they look up from the game when crossing the road.

Security researchers also discovered a modified version of the game for Android circulating online that could give hackers "full control over a victim's phone". 

Online Editors

Promoted articles

Also in Business