Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Android Privacy Security Software Games

Pokemon Go Was Never Able To Read Your Email (gizmodo.com) 109

Last week a security researcher noted that Pokemon Go's iOS app -- for whatever reason -- was gleaning complete hold of one's Google account. But is that really the case? Gizmodo contacted Adam Reeve, the security researcher in question (who also happens to be a former senior engineering manager at Tumblr) to get more details on his claims, upon which Reeve, now Principal Architect at Red Owl Analytics, said he wasn't "100 percent sure" his blog was true. From the report: Cybersecurity expert and CEO of Trail of Bits Dan Guido has also cast serious doubt on Reeve's claim, saying Google tech support told him "full account access" does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number.In a statement, Google tech support said:In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say "Has access to Gmail")Niantic, the company behind Pokemon Go app also assures that its app doesn't access anyone's email. Moreover, it is working with Google to ensure that only a user's profile data is accessed by the app. In a statement to Gizmodo, the company said:We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.Perhaps people should be more careful about the accusations they make.
This discussion has been archived. No new comments can be posted.

Pokemon Go Was Never Able To Read Your Email

Comments Filter:
  • by Archangel Michael ( 180766 ) on Tuesday July 12, 2016 @09:10AM (#52496289) Journal

    Perhaps people should be more careful about the accusations they make.

    Why?

    Accusations are often all that is needed in this world to create the effect you desire. Accusations work, because people think that an accusation = "Guilty" or at least "suspicious" and that is all that is needed to trigger the "fear" response. It works, because most people don't actually THINK, don't want to think, they only care about Kardashians or Taylor Swift.

    Seriously, WE (us people) should require people making accusations to start putting up or shutting up. Guilty until proven innocent sucks.

  • by geekmux ( 1040042 ) on Tuesday July 12, 2016 @09:12AM (#52496291)

    "Perhaps people should be more careful about the accusations they make."

    Uh, people should be more careful?

    Ironically, while we're busy being paranoid about this app, damn near every other app installed on your phone is sucking your privacy dry.

    Right or wrong, let's not pretend this accusation was birthed from sheer stupidity or an addiction to tin-foil hats. There's a damn good reason to be wary of app privacy today, as in there is no such thing.

    • Yes, there is no privacy. And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account. It sounds like somebody did that.

      The reporting error wasn't the blogger's fault; it was the fault of whoever named the permission "full account access." And it is still good that he reported it, because it highlighted a problem where the app programmer requested broader permission than needed. The b

      • by mabu ( 178417 )

        >And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account.

        Assuming "full access" means "all access" is not a mistake.

        It's probably a good idea to assume the worst in situations like this.

        The fact that "full" wasn't "all" and people assumed otherwise, may result in better protection of peoples privacy and personal information.

    • I think there are two problems with both the initial report and the fallout. First the definition of "full access" was taken and blown up by many without researching what that meant.

      The second seems to be seeking forgiveness because "yeah we asked for full permission but never used all of the potential features."

      The first is irresponsible reporting - but was solved with peer review. The second is the sorry state of security. An app that can be released requesting admin privs (remember Windows apps that

  • So, in short... (Score:4, Insightful)

    by bobbied ( 2522392 ) on Tuesday July 12, 2016 @09:12AM (#52496297)

    Although we request you approve "full access" we don't use it, and we promise we won't in the future...

    No thank you...

    • by _xeno_ ( 155264 )

      Pretty much.

      This is exactly the same as those old Windows apps that would only run as admin, even if they didn't really need admin privileges. Sure, they might not do anything particular evil with admin privileges that they don't really need.

      But only half the issue with Windows programs requiring admin access was the potential for the program itself doing something evil. Half the problem was security flaws in said programs being used by malicious third parties.

      It gets worse with games like Pokemon Go where

    • I know it's a slashsin but reading the story reveals that "full account access" is full access to account profile information and nothing else. Since they are a division of google they are getting a new permission created for just the username and email address as it's all they need.
    • Yes. I came to the same conclusion because I too have the reading comprehension skills of a 2 year old.

      Try again.

  • The accusation was that the app had "full access" to google account data. Hence Slashdot's previous headline, PSA: Pokemon Go Has Full Access To Your Google Account Data [slashdot.org]

    This previous story was accurate and true, because by the developers own admission,

    "[Pokemon Go] erroneously requests full access permission for the user's Google account"

    They are fixing it, and kudos for fixing it, and they've confirmed with Google that they didn't access any additional information, but they still fucked up and have admitte

    • by bfpierce ( 4312717 ) on Tuesday July 12, 2016 @09:22AM (#52496359)

      The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.

      RTFM kids, you'll look a lot less stupid.

      • Here's what the API can do. It's undocumented, so you can't look it up:

        https://gist.github.com/arirub... [github.com]

        "In summary:

        The direct token that Niantic gets can't access the gmail api / gcal api
        However, the token could potentially be exchanged through the undocumented mechanism /MergeSession to create a web session logged in as you on any google property
        I haven't seen the app try to exchange this token for an ubertoken while p

      • by ljw1004 ( 764174 )

        The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.

        RTFM kids, you'll look a lot less stupid.

        What is the "FM"?

        I see a lot of google OAUTH scopes listed at https://developers.google.com/... [google.com]. I don't think there is a "FM" which tells us how to map the poorly-phrased UI dialog to the actual OAUTH scopes. If the UI claims to be asking for "full access", which of those scopes do you think it's asking for? All of them? Including the scope "https://www.googleapis.com/auth/gmail.modify"?

        I've not used Google OAUTH, but I have used Microsoft OAUTH where the scopes had very badly worded UIs, and I bet the sam

    • "The accusation was that the app had "full access" to google account data."

      Which is false. While named something like "full account access" the issue here was poor naming not improper access. The permission only granted access to the account profile information. They did not fuck up, this is currently the permission they must request to access account details such as username and email address. Because they are a Google company Google is responding by creating an entirely new more fine grained permission to
    • This previous story was accurate and true, because by the developers own admission,

      Except for the bit where someone else used the same token and confirmed that at the time the accusation made before anyone worked to change anything the story was in fact NOT true and they weren't able to access emails.

  • Unfounded speculative claims? FUD and hype?
    In "Cyber" Security? Inconceivable!
  • I'd be careful, I mean what if this one could read your email and send it to its parent company! The same parent company who installed an app without your permission on your android phone! I believe it's called "gmail"...
    • by _xeno_ ( 155264 )

      Niantic is no longer part of Google and hasn't been since August of last year. They split from Google and then had a fairly large investment from Nintendo specifically for the creation of this new Pokemon Go game.

  • I think app developers should write a short sentence justifying their need for the permissions they require. Some apps are just ridiculous. Why does a streaming audio app need to access my call history?
  • Pokemon Go is a psyops brought to you via the same data-mining shill that developed Ingress as well... Niantic, which was formed by John Hanke. Hanke was the original founder of Keyhole (which was acquired by Google, by the way...) a program that received a large chunk of its funding from In-Q-Tel, a government-controlled venture capital firm that, in turn, is supported largely by National Geospatial-Intelligence Agency (NGA), whose primary mission is “collecting, analyzing, and distributing geospatia
  • ...and everyone looses their minds.

    This is probably a Joker meme by now...
  • by Yvan256 ( 722131 ) on Tuesday July 12, 2016 @09:50AM (#52496579) Homepage Journal

    Maybe my iPhone is too old, but what does iOS have to do with a Google account?

    And is a Google account needed to play Pokémon Go?

  • by MrLint ( 519792 ) on Tuesday July 12, 2016 @10:08AM (#52496705) Journal

    "Perhaps people should be more careful about the accusations they make."

    Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.

    "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information,"

    • Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.

      Or perhaps the world should harden up and realise that the app installed on the phone is pretty much far more sandboxed and has far less access to information including the inability to read emails or other files than pretty much any PC program ever.

      People are afraid someone is going to infringe the privacy of their own shadows these days, but only through mobile because accessing internet banking and responding to phishing attacks on a malware infested PC doesn't generate news headlines like it did in the

  • Perhaps people should be more careful about what they name account permission settings.
  • Pokemon Go Was Never Able To Read Your Email

    It certainly wasn't. I've never installed it.

  • "Perhaps people should be more careful about the accusations they make."

    Perhaps fucking companies should be more careful and less lazy about the boilerplate bullshit they throw in, and actually bother to write a relevant fucking EULA/ToS for their software.

    And perhaps you should shut your whore mouth, manishs.

  • If an established security researcher can't figure out what permissions an application is requesting, maybe Google needs to work on their UI.

    On the other hand, maybe the guy is just an idiot.

    I'm not into Pokemon, so I don't know exactly what it displays during installation.

  • The first patch went live about a hour ago, and included a fix to the Google Account scope.

    http://www.popsci.com/pokemon-... [popsci.com]
  • "Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account." Yes everyone, please believe us that it is "erroneously" requested. and once we have permission from all the IOS users, because of this erroneous request.... PLEASE BELIEVE we will not use those permissions to violate you. "However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address)" yes, PLEASE TAKE OUR WORD ON THIS "MISTAKE"

Genius is ten percent inspiration and fifty percent capital gains.

Working...