Pokemon Go Was Never Able To Read Your Email (gizmodo.com) 109
Last week a security researcher noted that Pokemon Go's iOS app -- for whatever reason -- was gleaning complete hold of one's Google account. But is that really the case? Gizmodo contacted Adam Reeve, the security researcher in question (who also happens to be a former senior engineering manager at Tumblr) to get more details on his claims, upon which Reeve, now Principal Architect at Red Owl Analytics, said he wasn't "100 percent sure" his blog was true. From the report: Cybersecurity expert and CEO of Trail of Bits Dan Guido has also cast serious doubt on Reeve's claim, saying Google tech support told him "full account access" does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number.In a statement, Google tech support said:In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say "Has access to Gmail")Niantic, the company behind Pokemon Go app also assures that its app doesn't access anyone's email. Moreover, it is working with Google to ensure that only a user's profile data is accessed by the app. In a statement to Gizmodo, the company said:We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.Perhaps people should be more careful about the accusations they make.
Guilty until Proven Innocent (Score:5, Insightful)
Perhaps people should be more careful about the accusations they make.
Why?
Accusations are often all that is needed in this world to create the effect you desire. Accusations work, because people think that an accusation = "Guilty" or at least "suspicious" and that is all that is needed to trigger the "fear" response. It works, because most people don't actually THINK, don't want to think, they only care about Kardashians or Taylor Swift.
Seriously, WE (us people) should require people making accusations to start putting up or shutting up. Guilty until proven innocent sucks.
Re: (Score:2)
Except in this case, they *were* guilty and it was requesting more access than it needed; the developer flat out admitted it (in TFS no less).
If you'll read the TFS more carefully, I think you'll find that what you describe was not, in fact, the main thrust of the TFS.
Re: (Score:2)
Lighten up Francis.
You poor Snowflake
Accusations vs. reality (Score:3)
"Perhaps people should be more careful about the accusations they make."
Uh, people should be more careful?
Ironically, while we're busy being paranoid about this app, damn near every other app installed on your phone is sucking your privacy dry.
Right or wrong, let's not pretend this accusation was birthed from sheer stupidity or an addiction to tin-foil hats. There's a damn good reason to be wary of app privacy today, as in there is no such thing.
Bad permission naming (Score:2)
Yes, there is no privacy. And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account. It sounds like somebody did that.
The reporting error wasn't the blogger's fault; it was the fault of whoever named the permission "full account access." And it is still good that he reported it, because it highlighted a problem where the app programmer requested broader permission than needed. The b
Re: (Score:2)
>And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account.
Assuming "full access" means "all access" is not a mistake.
It's probably a good idea to assume the worst in situations like this.
The fact that "full" wasn't "all" and people assumed otherwise, may result in better protection of peoples privacy and personal information.
Re: (Score:2)
I think there are two problems with both the initial report and the fallout. First the definition of "full access" was taken and blown up by many without researching what that meant.
The second seems to be seeking forgiveness because "yeah we asked for full permission but never used all of the potential features."
The first is irresponsible reporting - but was solved with peer review. The second is the sorry state of security. An app that can be released requesting admin privs (remember Windows apps that
Re: (Score:3)
You can install it, then revoke it's access from your account to what it doesn't need.
App still works fine.
Re: (Score:2)
The change they are making is to create an all new more fine grained permission for just the username and email address because they don't need the entire profile.
Google is bad about fine grained permissions.
So, in short... (Score:4, Insightful)
Although we request you approve "full access" we don't use it, and we promise we won't in the future...
No thank you...
Re: (Score:3)
Pretty much.
This is exactly the same as those old Windows apps that would only run as admin, even if they didn't really need admin privileges. Sure, they might not do anything particular evil with admin privileges that they don't really need.
But only half the issue with Windows programs requiring admin access was the potential for the program itself doing something evil. Half the problem was security flaws in said programs being used by malicious third parties.
It gets worse with games like Pokemon Go where
Re: (Score:3)
Re: (Score:2)
Yes. I came to the same conclusion because I too have the reading comprehension skills of a 2 year old.
Try again.
This story is garbage (Score:1, Insightful)
The accusation was that the app had "full access" to google account data. Hence Slashdot's previous headline, PSA: Pokemon Go Has Full Access To Your Google Account Data [slashdot.org]
This previous story was accurate and true, because by the developers own admission,
They are fixing it, and kudos for fixing it, and they've confirmed with Google that they didn't access any additional information, but they still fucked up and have admitte
Re:This story is garbage (Score:5, Informative)
"Did not do" is *NOT* the same as "Could not do".
Accusation was they had access.
They did indeed have access.
Proofed wrong by even the summary:
"full account access" does not mean a third party can read or send or send email, access your files or anything else
Yes, slightly confusing,. They had "full access" but "full access" does NOT grant you access to Email, Files or any other data.
The say they didn't use that access, good on them. They say they are going to reduce the access requested, great.
The fact remains they had access whether they used it or not.
They had access to account data, but not access to data in any service connected to that account (like email) At least that's how I read this.
Re: (Score:2)
someone upmod this please
Re: (Score:2)
It's "could not", not "did not do".
"Full access" does not include reading or sending email. Period.
Re:This story is garbage (Score:5, Informative)
So yes, the iOS version of the App can do more than it needs to, and that permissions discrepancy has been added to the long list of things that need to be fixed on this still very young and rather buggy game. But No, the App could never do much of what it was being accused of doing.
Re: (Score:2)
Actually as android permissions go this one was relatively reasonable just poorly named. From my understanding it gave access to your account profile details and was just very very poorly named. They are only creating a more restrictive permission because of the lashback. Honestly, I think they should have just renamed the existing permission.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Similar to saying that running "cat" as root, "can not" delete your data.
sudo cat /dev/urandom > /dev/sda
Say what?
It's not about the app having malicious code in it, it's about the app being exploited, like I just did with cat.
Re:This story is garbage (Score:4, Interesting)
It *potentially* could. And now has been documented as to how it could:
https://gist.github.com/arirub... [github.com]
Re: (Score:3)
No, it COULD NOT 'potentially' do that. Full Google account access IS NOT, and DOES NOT INCLUDE Gmail access. So it CAN NOT access your email, docs, etc, even potentially.
Re: (Score:1)
No, it COULD NOT 'potentially' do that. Full Google account access IS NOT, and DOES NOT INCLUDE Gmail access. So it CAN NOT access your email, docs, etc, even potentially.
You would do well to read what you are disputing before spouting more garbage. It can, but not in a straight forward way. It is a problem, and needs to be fixed.
Re: (Score:1)
Yeah, what CRC'99 said.
Re: (Score:2)
From the github description:
he direct token that Niantic gets can't access the gmail api / gcal api /MergeSession to create a web session logged in as you on any google property
However, the token could potentially be exchanged through the undocumented mechanism
So yes IT COULD.
Re: (Score:2)
Re: (Score:3)
No, it COULD NOT have been written to do that. The permissions that it received DO NOT allow access to email, etc
Re:This story is garbage (Score:5, Insightful)
The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.
RTFM kids, you'll look a lot less stupid.
Re: (Score:3)
Here's what the API can do. It's undocumented, so you can't look it up:
https://gist.github.com/arirub... [github.com]
"In summary:
The direct token that Niantic gets can't access the gmail api / gcal api /MergeSession to create a web session logged in as you on any google property
However, the token could potentially be exchanged through the undocumented mechanism
I haven't seen the app try to exchange this token for an ubertoken while p
Re: (Score:2)
The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.
RTFM kids, you'll look a lot less stupid.
What is the "FM"?
I see a lot of google OAUTH scopes listed at https://developers.google.com/... [google.com]. I don't think there is a "FM" which tells us how to map the poorly-phrased UI dialog to the actual OAUTH scopes. If the UI claims to be asking for "full access", which of those scopes do you think it's asking for? All of them? Including the scope "https://www.googleapis.com/auth/gmail.modify"?
I've not used Google OAUTH, but I have used Microsoft OAUTH where the scopes had very badly worded UIs, and I bet the sam
Re: (Score:2)
Which is false. While named something like "full account access" the issue here was poor naming not improper access. The permission only granted access to the account profile information. They did not fuck up, this is currently the permission they must request to access account details such as username and email address. Because they are a Google company Google is responding by creating an entirely new more fine grained permission to
Re: (Score:2)
This previous story was accurate and true, because by the developers own admission,
Except for the bit where someone else used the same token and confirmed that at the time the accusation made before anyone worked to change anything the story was in fact NOT true and they weren't able to access emails.
Re: (Score:2)
And bluetooth connections.
I can imagine some connections between a location based game and your contacts's addresses being incorporated into the game somehow, but does someone has any idea what might be the reason behind those two?
Location, camera and phone status are more or less obvious.
Re: (Score:3)
https://www.amazon.com/Nintend... [amazon.com]
Re: (Score:2)
Well, nice... but..... What was again the purpose of those smartwatch thingies when apps require special wristbands?
Re: (Score:2)
Otherwise you need to walk with the phone unlocked, and the app active ( unless a mod exists to keep apps in the background believing they're in the foreground).
It's similar to Nintendo's pay for this toy to unlock a game character.
Re: (Score:2)
Making you pay to be able to run the app in the background without you realizing that's what you're doing.
Otherwise you need to walk with the phone unlocked, and the app active ( unless a mod exists to keep apps in the background believing they're in the foreground).
It's similar to Nintendo's pay for this toy to unlock a game character.
Seems like you need to do that anyway:
http://www.imore.com/pokemon-g... [imore.com]
"Your device still needs to be running Pokémon Go in the foreground, so you're not saving much battery life, and you'll get those vibrations from your iPhone or Android device, anyway."
Re: (Score:2)
The wristwatch Pokemon Go Plus has a button on it so that (supposedly) you can catch them, activate Pokestops, etc without having to interact with your phone at all.
Granted, it does seem like the sort of function that would be right smack in the wheelhouse of a Smartwatch, so hopefully they release a smartwatch app to mimic it. But for those of us that like the function but
Re: (Score:2)
Re: (Score:2)
It does matter cause I was hoping that bluetooth would support Android Wear and prevent accidents.
Re: (Score:2)
Impossible! (Score:2)
In "Cyber" Security? Inconceivable!
The same company made an app that accesses it! (Score:1)
Re: (Score:2)
Niantic is no longer part of Google and hasn't been since August of last year. They split from Google and then had a fairly large investment from Nintendo specifically for the creation of this new Pokemon Go game.
Re: (Score:1)
Re: (Score:2)
And what it does not include, as TFS says, is email.
Permission Justification (Score:2)
BS: these guys are reading your emails (Score:2)
Re: (Score:2)
No to make an English Long FrackTon of cash for Nintendo
A Google Company can access your Google Data! (Score:2)
This is probably a Joker meme by now...
iOS? Google account? (Score:3)
Maybe my iPhone is too old, but what does iOS have to do with a Google account?
And is a Google account needed to play Pokémon Go?
Re:iOS? Google account? (Score:4, Informative)
Re: (Score:2)
You can also create an empty Google account just for silly apps like that, separate from your important stuff. Let them read emails from each other.
Re: (Score:2)
Or not let them read emails from each other since that is not what the permission allows.
Editorializing? (Score:3)
"Perhaps people should be more careful about the accusations they make."
Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.
"Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information,"
Re: (Score:2)
Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.
Or perhaps the world should harden up and realise that the app installed on the phone is pretty much far more sandboxed and has far less access to information including the inability to read emails or other files than pretty much any PC program ever.
People are afraid someone is going to infringe the privacy of their own shadows these days, but only through mobile because accessing internet banking and responding to phishing attacks on a malware infested PC doesn't generate news headlines like it did in the
Re: (Score:2)
Careful about accusations? (Score:1)
Ingress has had access for years (Score:2)
http://i.imgur.com/TWOedY7.png [imgur.com]
That is absolutely true (Score:2)
Pokemon Go Was Never Able To Read Your Email
It certainly wasn't. I've never installed it.
Perhaps... (Score:2)
"Perhaps people should be more careful about the accusations they make."
Perhaps fucking companies should be more careful and less lazy about the boilerplate bullshit they throw in, and actually bother to write a relevant fucking EULA/ToS for their software.
And perhaps you should shut your whore mouth, manishs.
Re: (Score:2)
Big words from an AC that's too fucking fat to get up from behind their keyboard.
And you're not as anonymous as you think - your vocabulary and typing mannerisms give you away you furry fuckwit.
Competency Question (Score:2)
If an established security researcher can't figure out what permissions an application is requesting, maybe Google needs to work on their UI.
On the other hand, maybe the guy is just an idiot.
I'm not into Pokemon, so I don't know exactly what it displays during installation.
It has Officially been Patched. (Score:2)
http://www.popsci.com/pokemon-... [popsci.com]
erroneous?? (Score:1)
Re: (Score:1)
Slashdot had been forwarding a lot of false rumors over the last few weeks. It appears to be serving its purpose.
Re: (Score:2)
There's more substance to the article than there is inaccuracy. It may be true that the app doesn't have access to a person's gmail account, but the privacy policy makes it clear users should have no actual sense of "privacy" for the data that is collected:
“We may disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate”
On top o
Re: (Score:2)
In unrelated news, I've been driving a lot more, lately. I'm sure it has absolutely nothing to do with hearing about kids walking into traffic while playing Pokemon GO.