Pokemon Go Hijacks Players' Google Accounts

UPDATED 9:30 p.m. ET July 11 with statement from Niantic.

All those Nintendo fanatics who stampeded Apple's iOS App store last week to download and install Pokemon Go may have unwittingly handed control of their Google accounts to the app's developer, Niantic. The Pokemon Go app silently gives Niantic the powers to read Gmail inboxes and send emails as well as view Google search histories and private images stored in Google Photos.

Photo: Sam Rutherford/Tom's Guide

Photo: Sam Rutherford/Tom's Guide

While most iOS apps generally present prospective users a list of permissions demands, Pokemon Go does not. Instead Niantic gave players two options: sign in with their Google Accounts, or sign in using an account with Nintendo's Pokemon Trainer Club. Unfortunately, the latter service spent the weekend spitting out error messages, forcing many people to sign up with their Google accounts.

This privacy catastrophe doesn't seem to be affecting Android users. But if you used a Google account to catch 'em all on your iPhone, open the Apps connected to your account page and revoke the full access Pokemon Go has over your Google account. You'll still be able to play Pokemon Go after making the change.

MORE: Pokémon Go Guide: 15 Tips to Be the Very Best

This was first publicized Friday (July 8) by Adam Reeve, a data architect at the Baltimore-based RedOwl security firm. After signing into Pokemon Go with his Google account, Reeve was curious to see what kind of privileges the app granted itself. He was dismayed to find that it had the same level of access to his Google account as Google's own Chrome browser.

We tested Reeve's report by installing Pokemon Go on an iPhone and an Android device, and found his results accurate.

This doesn't appear to be part of some massive privacy-invading data heist. After all, Niantic has already convinced millions of people to share their exact locations with Pokemon Go. This indicates something arguably worse: sloppy, irresponsible programming. Even if Niantic doesn't leverage its access to your Google account for evil purposes, somebody could break into the company's servers and steal the data.

If Niantic can't properly configure the permissions it takes, its internal security might not be up to snuff either -- even as the disclosure of its access to users' Google accounts makes the company a target for cybercriminals.

UPDATE: On Monday evening, Robert McMillan of The Wall Street Journal tweeted out a statement from Niantic, reproduced here in full:

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."