Pokemon Go Hijacks Players' Google Accounts

Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

UPDATED 9:30 p.m. ET July 11 with statement from Niantic.

All those Nintendo fanatics who stampeded Apple's iOS App store last week to download and install Pokemon Go may have unwittingly handed control of their Google accounts to the app's developer, Niantic. The Pokemon Go app silently gives Niantic the powers to read Gmail inboxes and send emails as well as view Google search histories and private images stored in Google Photos.

While most iOS apps generally present prospective users a list of permissions demands, Pokemon Go does not. Instead Niantic gave players two options: sign in with their Google Accounts, or sign in using an account with Nintendo's Pokemon Trainer Club. Unfortunately, the latter service spent the weekend spitting out error messages, forcing many people to sign up with their Google accounts.

This privacy catastrophe doesn't seem to be affecting Android users. But if you used a Google account to catch 'em all on your iPhone, open the Apps connected to your account page and revoke the full access Pokemon Go has over your Google account. You'll still be able to play Pokemon Go after making the change.

MORE: Pokémon Go Guide: 15 Tips to Be the Very Best

This was first publicized Friday (July 8) by Adam Reeve, a data architect at the Baltimore-based RedOwl security firm. After signing into Pokemon Go with his Google account, Reeve was curious to see what kind of privileges the app granted itself. He was dismayed to find that it had the same level of access to his Google account as Google's own Chrome browser.

We tested Reeve's report by installing Pokemon Go on an iPhone and an Android device, and found his results accurate.

This doesn't appear to be part of some massive privacy-invading data heist. After all, Niantic has already convinced millions of people to share their exact locations with Pokemon Go. This indicates something arguably worse: sloppy, irresponsible programming. Even if Niantic doesn't leverage its access to your Google account for evil purposes, somebody could break into the company's servers and steal the data.

If Niantic can't properly configure the permissions it takes, its internal security might not be up to snuff either -- even as the disclosure of its access to users' Google accounts makes the company a target for cybercriminals.

UPDATE: On Monday evening, Robert McMillan of The Wall Street Journal tweeted out a statement from Niantic, reproduced here in full:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

• Pokémon Go Is So Good, It Turned Me Into a Jerk
• 100+ Great iOS Games for iPhones and iPads
• The Best Headsets for Immersive Gaming