The recently-released Pokémon Go has quickly emerged as a cultural phenomenon, with legions of players using their phones to “catch” Pokémon that emerge all around them, visible (thankfully) only to players. While catching Pokémon by phone is far less cumbersome than collecting boxes upon boxes of Pokémon cards, as some of us did in the early aughts, it does come with its own set of pitfalls. Specifically, users have learned that Niantic, the maker of the Pokémon Go application, was accidentally capturing a worryingly high level of access to its users’ private information while those users were busy capturing Pokémon.
As discovered by Adam Reeve, a principal architect at the analytics firm Red Owl, when a player used her Google account to activate the pre-update iOS version of the application, the application gained full access to that player’s Google account. Most applications request minimal account access. In this case, however, the level of access requested by Pokémon Go allowed the application and Niantic to “act effectively as if it were the account owner.” The application had the power to “access your Gmail, your Google Docs, your Google Photos, as well as track your location history, your search history, and more.” (There were a few exceptions—the access did not allow an application to change a player’s password or take money from a player’s Google Wallet.) Additionally, neither the application nor Google’s log-in process specified the level of access being given to Pokémon Go.
This level of access was described as “a privacy nightmare.” While full access “isn’t inherently a security flaw,” it creates risk for Niantic’s users “should its systems be compromised either by an internal or external party.” The problem, as Glenn Fleishman writes on MacWorld, stems from the process by which applications using other sites’ accounts for authentication are able to access those accounts. After users log-in to the third party site (such as Google or Facebook) and account verification, the developer receives a “short piece of unique text, that’s stored and used to handle interaction.” To utilize the linked account (and send Gmail messages or post personal photographs), an attacker only has to obtain this short piece of text. Worse yet, according to Reeve, an attacker can use the account access that she obtains in this way as “the thin end of a wedge” to steal someone’s identity at a variety of sites. Since many people use Gmail as their primary or secondary email address, an attacker could use the “Forgot Your Password” feature on sites to take over a Pokémon Go user’s accounts on those sites.
Niantic now appears to have fixed the issue—current users only need to download the update and sign out and back into the application—and the heightened permissions seem to have been the result of oversight. Pokémon Go for Android was unaffected, as were iOS users who signed up for Pokémon Go by creating a Pokémon Trainer Club account. Niantic has acknowledged in a statement that Pokémon Go requested more extensive access than necessary, but has only accessed or collected basic Google profile information. Moreover, as Olivia Solon writes in The Guardian, “[t]he extent to which blame for the scare should be apportioned between Google and Niantic is still unclear.”
Nonetheless, these events are a cautionary tale for companies that develop applications—especially those aimed at the mass market—if they utilize third-party website accounts for access. It is crucial to ensure that an application is requesting only the minimum necessary permission to access a user’s account. Requesting too much access, even by accident, can anger users and could result in regulatory crackdown. For example, yesterday Niantic received a letter from Senator Al Franken (D-MN), expressing “concern about the extent to which Niantic may be unnecessarily collecting, using, and sharing a wide range of users’ personal information without their appropriate consent,” based on the Google account permissions issue and other privacy concerns.
Plaintiffs’ lawyers also will be as eager as a Pokémon trainer in search of Pikachu to seek out any Pokémon Go players who might fall victim to identity theft or other harm after unwittingly giving the application full access to their Google accounts.
Niantic has now been sued over this ….David J. Beckman v. Niantic Inc., 50-2016-CA-008330, Fifteenth Judicial Circuit for Palm Beach County, Florida.