Updated on July 12, 2016
You can imagine the science-fiction episode: A video game suddenly appears in an unwitting society. The game proves so addictive that millions of people endanger themselves just to be able to keep playing it. The game gets so powerful that it can steal their secrets.
That’s actually not an episode of The Twilight Zone or Black Mirror. According to a security expert, it’s the story of Pokémon Go, the augmented-reality mobile game that’s the biggest fad of the summer so far.
In a widely shared blog post this afternoon, Adam Reeve highlighted that millions of Pokémon Go users might be giving the game’s developer, Niantic, access to their entire Gmail account. He writes that this means that Pokémon Go (or anyone with access to its user database) can:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
Reeve is a security architect at RedOwl. Though the security loophole has been confirmed by other experts, it seems to affect only some iOS users of Pokémon Go.
Niantic responded to the security hole on Monday night. The company says it will soon undertake a fix itself and that users don’t need to do anything. In a statement provided to Recode, a spokesman said, in full:
We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.
You can see if you’ve granted access to Pokémon Go on this Google page. If you’re an affected user, that page will say “Pokemon Go has full access to your Google account.”
“I obviously don’t think Niantic are planning some global personal information heist,” Reeve said in his original post. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all.”
It’s worth adding that Star Trek: The Next Generation did predict Pokémon Go. In the episode “The Game,” a fun augmented-reality device where players have to “catch” floating discs with wormholes becomes wildly popular on the Starship Enterprise—until it starts to control people’s minds. It’s left to ensigns Robin Lefler (played by Ashley Judd!) and Wes Crusher (portrayed by Wil Wheaton) to save the crew. On Saturday, Wheaton tweeted: