Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pokemon Go Was Never Able To Read Your Email (gizmodo.com)

Posted by msmash on from the setting-the-records-straight dept.

Last week a security researcher noted that Pokemon Go's iOS app -- for whatever reason -- was gleaning complete hold of one's Google account. But is that really the case? Gizmodo contacted Adam Reeve, the security researcher in question (who also happens to be a former senior engineering manager at Tumblr) to get more details on his claims, upon which Reeve, now Principal Architect at Red Owl Analytics, said he wasn't "100 percent sure" his blog was true. From the report: Cybersecurity expert and CEO of Trail of Bits Dan Guido has also cast serious doubt on Reeve's claim, saying Google tech support told him "full account access" does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number.In a statement, Google tech support said:In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say "Has access to Gmail")Niantic, the company behind Pokemon Go app also assures that its app doesn't access anyone's email. Moreover, it is working with Google to ensure that only a user's profile data is accessed by the app. In a statement to Gizmodo, the company said:We recently discovered that the Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account. However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokemon GO or Niantic. Google will soon reduce Pokemon GO's permission to only the basic profile data that Pokemon GO needs, and users do not need to take any actions themselves.Perhaps people should be more careful about the accusations they make.

109 comments

  1. Guilty until Proven Innocent by Archangel+Michael · · Score: 4, Insightful

    Perhaps people should be more careful about the accusations they make.

    Why?

    Accusations are often all that is needed in this world to create the effect you desire. Accusations work, because people think that an accusation = "Guilty" or at least "suspicious" and that is all that is needed to trigger the "fear" response. It works, because most people don't actually THINK, don't want to think, they only care about Kardashians or Taylor Swift.

    Seriously, WE (us people) should require people making accusations to start putting up or shutting up. Guilty until proven innocent sucks.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      Except in this case, they *were* guilty and it was requesting more access than it needed; the developer flat out admitted it (in TFS no less). So what if it couldn't send email? It's still excessively invasive and a violation of privacy.

      So yeah, the accusation got the developer to acknowledge and plan to fix the issue. You're right, mission accomplished.

    2. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      Stop accusing most people of not actually THINKING and not wanting to think and only caring about Kardashians or Taylor Swift. You are triggering the "fear" response in me, you cishet shitlord.

    3. Re:Guilty until Proven Innocent by Archangel+Michael · · Score: 1

      Lighten up Francis.

      You poor Snowflake

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    4. Re:Guilty until Proven Innocent by zieroh · · Score: 1

      Except in this case, they *were* guilty and it was requesting more access than it needed; the developer flat out admitted it (in TFS no less).

      If you'll read the TFS more carefully, I think you'll find that what you describe was not, in fact, the main thrust of the TFS.

      --
      People who say "sheeple" have about as much sophistication as an AOL user, and in fact are probably actually AOL users.
    5. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      Perhaps you should think about the series of accusations followed by rebuttals.

      Google says that 'full Google Account Access' doesn't actually mean 'full', so first 'mistake' here is "hey Google, maybe you want to describe better what 'full' actually means?". Secondly, Niantic admitted they didn't NEED 'full account access' regardless of how that's defined so they went overboard in invading your privacy & admitted it. Seems to me that the fundamental aspect of the accusation e.g. 'Pokemon Go requests more access than it needed' was true.

      Ipso-facto the summary of the TFS of 'people should be more careful about the accusations they make' is NOT the proper thrust of this...it should be 'Company's should be more descriptive of their terminology, what exactly they are asking to have access to and explain why they want it'.

    6. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      You need to evaluate the source. A notable security researcher with decades of experience? Yeah, that's probably credible.

      Some tard from Tumblr? Well...

    7. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      Seriously, WE (us people) should require people making accusations to start putting up or shutting up. Guilty until proven innocent sucks.

      That is a lot of work. Just wait until it has been verified and then kill people who throw out false accusations.

    8. Re:Guilty until Proven Innocent by Anonymous Coward · · Score: 0

      With today's internet world, "product X may be doing Y" is blown into "X definitely for sure does Y". Also, people should take more care about diving into the latest craze just because it is the latest craze. One way to identify definite non-leaders is to observe folk who dash into something like Pokemon Go without any thought at all.

  2. Accusations vs. reality by geekmux · · Score: 2

    "Perhaps people should be more careful about the accusations they make."

    Uh, people should be more careful?

    Ironically, while we're busy being paranoid about this app, damn near every other app installed on your phone is sucking your privacy dry.

    Right or wrong, let's not pretend this accusation was birthed from sheer stupidity or an addiction to tin-foil hats. There's a damn good reason to be wary of app privacy today, as in there is no such thing.

    1. Re:Accusations vs. reality by ripvlan · · Score: 1

      I think there are two problems with both the initial report and the fallout. First the definition of "full access" was taken and blown up by many without researching what that meant.

      The second seems to be seeking forgiveness because "yeah we asked for full permission but never used all of the potential features."

      The first is irresponsible reporting - but was solved with peer review. The second is the sorry state of security. An app that can be released requesting admin privs (remember Windows apps that wanted Full Administrator rights because it was the easy way around new Vista UAC -- and they we too lazy to call the correct APIs?) It seems this app vendor took the quick way without internally reviewing their security profile.

      And now the app is so popular that police are reminding people not to enter Private areas, "don't walk into signposts" -- and look out because criminals are using it to lure people and rob them. Yeah - there's a lot about this app that needs more review.

  3. Uh, no. by Anonymous Coward · · Score: 0

    Uh, no.

    It's given full account access.

    It may not USE full account access, but it's given it. And there's nothing to say that they can't exploit this access in the future.

    If you're using iOS, do not install this game until this is properly fixed.

    1. Re:Uh, no. by NatasRevol · · Score: 2

      You can install it, then revoke it's access from your account to what it doesn't need.

      App still works fine.

      --
      There are two types of people in the world: Those who crave closure
    2. Re:Uh, no. by Anonymous Coward · · Score: 0

      Or use a dead end google account rather than one that's actually important. It's not like they aren't free.

    3. Re:Uh, no. by shaitand · · Score: 1

      According to TFS "full account access" is synonymous with "full account profile access." They aren't just choosing not to use more, the priv doesn't grant more it's just poorly named.

      The change they are making is to create an all new more fine grained permission for just the username and email address because they don't need the entire profile.

      Google is bad about fine grained permissions.

  4. So, in short... by bobbied · · Score: 3, Insightful

    Although we request you approve "full access" we don't use it, and we promise we won't in the future...

    No thank you...

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:So, in short... by _xeno_ · · Score: 2

      Pretty much.

      This is exactly the same as those old Windows apps that would only run as admin, even if they didn't really need admin privileges. Sure, they might not do anything particular evil with admin privileges that they don't really need.

      But only half the issue with Windows programs requiring admin access was the potential for the program itself doing something evil. Half the problem was security flaws in said programs being used by malicious third parties.

      It gets worse with games like Pokemon Go where half the game is on the server. Sure, Niantic may not be doing anything with their complete access to your Google account today. But if they get hacked in the future or if they later decide they do want to make access of that full access... what then?

      The entire reason behind granular permissions is to reduce the damage that can happen when something goes wrong.

      And there's also the point where apparently Google never asks you if you want to hand over full control of your Google account to what's now a third party.

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:So, in short... by shaitand · · Score: 2

      I know it's a slashsin but reading the story reveals that "full account access" is full access to account profile information and nothing else. Since they are a division of google they are getting a new permission created for just the username and email address as it's all they need.

    3. Re:So, in short... by thegarbz · · Score: 1

      Yes. I came to the same conclusion because I too have the reading comprehension skills of a 2 year old.

      Try again.

  5. This story is garbage by mewsenews · · Score: 1, Insightful

    The accusation was that the app had "full access" to google account data. Hence Slashdot's previous headline, PSA: Pokemon Go Has Full Access To Your Google Account Data

    This previous story was accurate and true, because by the developers own admission,

    "[Pokemon Go] erroneously requests full access permission for the user's Google account"

    They are fixing it, and kudos for fixing it, and they've confirmed with Google that they didn't access any additional information, but they still fucked up and have admitted they fucked up.

    Perhaps people should be more careful about the accusations they make.

    Go to hell

    1. Re:This story is garbage by Anonymous Coward · · Score: 0

      The previous story was NOT accurate because it said it could read your email, documents, etc. It could not (not 'did not') do that.

    2. Re:This story is garbage by bfpierce · · Score: 4, Insightful

      The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.

      RTFM kids, you'll look a lot less stupid.

    3. Re:This story is garbage by Anonymous Coward · · Score: 0

      "Did not do" is *NOT* the same as "Could not do".

      Accusation was they had access.
      They did indeed have access.

      The say they didn't use that access, good on them. They say they are going to reduce the access requested, great.

      The fact remains they had access whether they used it or not.

    4. Re:This story is garbage by bickerdyke · · Score: 4, Informative

      "Did not do" is *NOT* the same as "Could not do".

      Accusation was they had access.
      They did indeed have access.

      Proofed wrong by even the summary:

      "full account access" does not mean a third party can read or send or send email, access your files or anything else

      Yes, slightly confusing,. They had "full access" but "full access" does NOT grant you access to Email, Files or any other data.

      The say they didn't use that access, good on them. They say they are going to reduce the access requested, great.

      The fact remains they had access whether they used it or not.

      They had access to account data, but not access to data in any service connected to that account (like email) At least that's how I read this.

      --
      bickerdyke
    5. Re:This story is garbage by Anonymous Coward · · Score: 0

      LOL. Google won't tell you if 'full access' means access to read/send/delete emails or not.

    6. Re:This story is garbage by halivar · · Score: 1

      It's "could not", not "did not do".

      "Full access" does not include reading or sending email. Period.

    7. Re:This story is garbage by Anonymous Coward · · Score: 0

      Also, when you give a company keys to your account, you're giving your keys to their employees and anyone who hacks them.

      You look a lot less stupid by just blindly believing what Google said.

    8. Re:This story is garbage by NatasRevol · · Score: 2

      Here's what the API can do. It's undocumented, so you can't look it up:

      https://gist.github.com/arirub...

      "In summary:

              The direct token that Niantic gets can't access the gmail api / gcal api
              However, the token could potentially be exchanged through the undocumented mechanism /MergeSession to create a web session logged in as you on any google property
              I haven't seen the app try to exchange this token for an ubertoken while poking at it
              The app communicates with Niantic with encrypted blobs and theoretically could send this token to them"

      --
      There are two types of people in the world: Those who crave closure
    9. Re:This story is garbage by Quantus347 · · Score: 4, Informative

      The App had more access than they needed or intended, and more than the Android equivalent. However, it did not have the capabilities that were originally reported. The original blog post that started this sh#t-storm stated that the app could things like "Read all your email, Send email as you, Access all your Google drive documents (including deleting them)[...]" none of which was ever true. The blogger further admitted he'd never actually worked with the google permissions or tested this, and was just inferring (read: being a bit of an alarmist) based on a general description from the Google help page.

      So yes, the iOS version of the App can do more than it needs to, and that permissions discrepancy has been added to the long list of things that need to be fixed on this still very young and rather buggy game. But No, the App could never do much of what it was being accused of doing.

      --
      Common Sense isn't as Common as people think...
    10. Re:This story is garbage by Anonymous Coward · · Score: 0

      The accusation was that the app had full access AND that because of that access, it could read your emails, history, etc, etc.

      From your link own (emphasis mine):

      If you're an iPhone user and have installed Pokemon GO, you may have noticed that the app grants itself full access to your Google account. It can read your email, location history, documents and pretty much every else associated with your Google account.

      The only true part here was that the app request full access - a mistake that was fixed. Everything else is clickbait and speculation. They didn't bother to check what "full access" means, and they deserve to be slammed for it.

    11. Re:This story is garbage by NatasRevol · · Score: 3, Interesting

      It *potentially* could. And now has been documented as to how it could:

      https://gist.github.com/arirub...

      --
      There are two types of people in the world: Those who crave closure
    12. Re:This story is garbage by mark-t · · Score: 1

      While it is correct that it did not do that... it *COULD* have, had it been written to do so, because it received permissions to do so, despite not using them.

      --
      File under 'M' for 'Manic ranting'
    13. Re:This story is garbage by Anonymous Coward · · Score: 0

      The code "could not" and "did not"

      The permissions were such that the app "could" but "did not"

    14. Re:This story is garbage by ljw1004 · · Score: 1

      The problem being nobody actually understood what 'full access' through Google's API actually does, or bothered to go look it up.

      RTFM kids, you'll look a lot less stupid.

      What is the "FM"?

      I see a lot of google OAUTH scopes listed at https://developers.google.com/.... I don't think there is a "FM" which tells us how to map the poorly-phrased UI dialog to the actual OAUTH scopes. If the UI claims to be asking for "full access", which of those scopes do you think it's asking for? All of them? Including the scope "https://www.googleapis.com/auth/gmail.modify"?

      I've not used Google OAUTH, but I have used Microsoft OAUTH where the scopes had very badly worded UIs, and I bet the same is true of Google.

      For instance, if your app requests the Microsoft scope "wl.signin | wl.offline_access" then all it technically does is let your app use a Microsoft ID to sign into the app but without giving even one iota of access to any of your account information. However the way it's presented to the user is "This app wants to sign you in automatically and access your info anytime". My users (reasonably) thought this meant that my app could access any of their account details anytime, and a portion of them declined to grant permission.

      In this Microsoft case I don't think anyone was being stupid, and no one should be expected to RTFM, and the fault lies squarely with the folks who design the UI for the Microsoft signin process. My hunch is that the same is true of Google's OAUTH too.

    15. Re:This story is garbage by bws111 · · Score: 2

      No, it COULD NOT 'potentially' do that. Full Google account access IS NOT, and DOES NOT INCLUDE Gmail access. So it CAN NOT access your email, docs, etc, even potentially.

    16. Re:This story is garbage by bws111 · · Score: 2

      No, it COULD NOT have been written to do that. The permissions that it received DO NOT allow access to email, etc

    17. Re:This story is garbage by Anonymous Coward · · Score: 0

      The previous story said they could read your email and everything else related to your interactions with Google. Which was fall.

      Go to hell yourself

    18. Re:This story is garbage by CRC'99 · · Score: 0

      No, it COULD NOT 'potentially' do that. Full Google account access IS NOT, and DOES NOT INCLUDE Gmail access. So it CAN NOT access your email, docs, etc, even potentially.

      You would do well to read what you are disputing before spouting more garbage. It can, but not in a straight forward way. It is a problem, and needs to be fixed.

      --
      Sendmail is like emacs: A nice operating system, but missing an editor and a MTA.
    19. Re:This story is garbage by Anonymous Coward · · Score: 0

      Actually "could not" is correct. Pokemon Go did not contain code that could access email data. Similar to saying that running "cat" as root, "can not" delete your data. Sure, you gave it full access, but there is no such code in "cat".

    20. Re:This story is garbage by Anonymous Coward · · Score: 0

      > Yes, slightly confusing,. They had "full access" but "full access" does NOT grant you access to Email, Files or any other data.

      I'm not convinced that summary is accurate. The devs I've heard from say that it certainly can access such things and Google itself is rather unclear about what the permission does. I do note, however, that the few restrictions it mentions for full access do not seem to include restrictions on accessing email, files, etc. so I'm going to have to lean towards believing that full permissions give access (but that they honestly did not want or access such things) unless someone can find a more authoritative source, like an API doc.

      =====

      https://support.google.com/accounts/answer/3466521?hl=en

      Full account access

      When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).

      Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

      This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

      If you've granted full account access to an app you don't trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.

    21. Re:This story is garbage by BronsCon · · Score: 1

      Similar to saying that running "cat" as root, "can not" delete your data.

      sudo cat /dev/urandom > /dev/sda

      Say what?

      It's not about the app having malicious code in it, it's about the app being exploited, like I just did with cat.

      --
      APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
    22. Re:This story is garbage by shaitand · · Score: 1

      "The accusation was that the app had "full access" to google account data."

      Which is false. While named something like "full account access" the issue here was poor naming not improper access. The permission only granted access to the account profile information. They did not fuck up, this is currently the permission they must request to access account details such as username and email address. Because they are a Google company Google is responding by creating an entirely new more fine grained permission to access just those two items which the app will then use.

    23. Re:This story is garbage by shaitand · · Score: 1

      "The App had more access than they needed or intended, and more than the Android equivalent."

      Actually as android permissions go this one was relatively reasonable just poorly named. From my understanding it gave access to your account profile details and was just very very poorly named. They are only creating a more restrictive permission because of the lashback. Honestly, I think they should have just renamed the existing permission.

    24. Re:This story is garbage by Anonymous Coward · · Score: 0

      You are WRONG!. Put down the pokemon go and read the links people above you have posted, God, now we got pokemon fanbois willing to defend to the death their precious game. Don't get run over searching for pikachew.

    25. Re: This story is garbage by Anonymous Coward · · Score: 0

      From Googles docs: "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it canâ(TM)t change your password, delete your account, or pay with Google Wallet on your behalf)."

      It says all the things it CAN'T do. I don't see email on that list do you?

    26. Re:This story is garbage by NatasRevol · · Score: 0

      Yeah, what CRC'99 said.

      --
      There are two types of people in the world: Those who crave closure
    27. Re:This story is garbage by Quantus347 · · Score: 1

      Not sure they have that freedom. This was only an issue on the iOS version, not the Android version, and Im assuming that iOS has a different relationship with Google Product permissions. And while Niantic started off as an internal Google startup project, they've since been spun off as their own entity. The change would have to be on Google's side. That being said, your are right in that all of this could have easily been avoided if Google had more accurately named the Permission level, and given a more detailed description of what it could and could not grant to a 3rd party app in it's Help/FAQ.

      --
      Common Sense isn't as Common as people think...
    28. Re:This story is garbage by mabu · · Score: 1

      someone upmod this please

    29. Re:This story is garbage by thegarbz · · Score: 1

      This previous story was accurate and true, because by the developers own admission,

      Except for the bit where someone else used the same token and confirmed that at the time the accusation made before anyone worked to change anything the story was in fact NOT true and they weren't able to access emails.

    30. Re:This story is garbage by Anonymous Coward · · Score: 0

      Dude, they never had the access. The permissions were never capable of giving that access. This is based on a misunderstanding of what the requested permissions actually mean.

    31. Re:This story is garbage by NatasRevol · · Score: 1

      From the github description:

      he direct token that Niantic gets can't access the gmail api / gcal api
      However, the token could potentially be exchanged through the undocumented mechanism /MergeSession to create a web session logged in as you on any google property

      So yes IT COULD.

      --
      There are two types of people in the world: Those who crave closure
    32. Re:This story is garbage by shaitand · · Score: 1

      Well google is creating the new permission for them so presumably google could rename the existing permission.

  6. Android version by Anonymous Coward · · Score: 0

    The Android version requests access to Contacts. I deny the access and it seems to work fine.

    1. Re:Android version by bickerdyke · · Score: 1

      And bluetooth connections.

      I can imagine some connections between a location based game and your contacts's addresses being incorporated into the game somehow, but does someone has any idea what might be the reason behind those two?

      Location, camera and phone status are more or less obvious.

      --
      bickerdyke
    2. Re:Android version by Quantus347 · · Score: 2

      The bluetooth connection is required to use the Pokemon Go Plus notifier hardware/wristband that is currently sold out of all suppliers.

      https://www.amazon.com/Nintend...

      --
      Common Sense isn't as Common as people think...
    3. Re:Android version by shaitand · · Score: 1

      Does it matter? Even if something has valid reason for access there is nothing that guarantees it isn't also abusing the access.

    4. Re:Android version by bickerdyke · · Score: 1

      Well, nice... but..... What was again the purpose of those smartwatch thingies when apps require special wristbands?

      --
      bickerdyke
    5. Re:Android version by bickerdyke · · Score: 1

      It does matter cause I was hoping that bluetooth would support Android Wear and prevent accidents.

      --
      bickerdyke
    6. Re:Android version by xvan · · Score: 1

      Making you pay to be able to run the app in the background without you realizing that's what you're doing.

      Otherwise you need to walk with the phone unlocked, and the app active ( unless a mod exists to keep apps in the background believing they're in the foreground).
      It's similar to Nintendo's pay for this toy to unlock a game character.

    7. Re:Android version by bickerdyke · · Score: 1

      Making you pay to be able to run the app in the background without you realizing that's what you're doing.

      Otherwise you need to walk with the phone unlocked, and the app active ( unless a mod exists to keep apps in the background believing they're in the foreground).

      It's similar to Nintendo's pay for this toy to unlock a game character.

      Seems like you need to do that anyway:

      http://www.imore.com/pokemon-g...

      "Your device still needs to be running Pokémon Go in the foreground, so you're not saving much battery life, and you'll get those vibrations from your iPhone or Android device, anyway."

      --
      bickerdyke
    8. Re:Android version by Quantus347 · · Score: 1

      The patch that hit this afternoon appears to have added push notifications to the mix, so that may alleviate the issue somewhat.

      The wristwatch Pokemon Go Plus has a button on it so that (supposedly) you can catch them, activate Pokestops, etc without having to interact with your phone at all.

      Granted, it does seem like the sort of function that would be right smack in the wheelhouse of a Smartwatch, so hopefully they release a smartwatch app to mimic it. But for those of us that like the function but dont want to drop the cash for an actual smartwatch, a $35 dedicated device isnt entirety useless.

      --
      Common Sense isn't as Common as people think...
    9. Re:Android version by shaitand · · Score: 1

      I meant from a security perspective.

  7. Impossible! by Fire_Wraith · · Score: 1

    Unfounded speculative claims? FUD and hype?
    In "Cyber" Security? Inconceivable!

    1. Re:Impossible! by Anonymous Coward · · Score: 0

      Unfounded speculative claims? FUD and hype?
      In "Cyber" Security? Inconceivable!

      On Slashdot even. What have we become?

  8. Re:What is this? by fustakrakich · · Score: 1

    Slashdot had been forwarding a lot of false rumors over the last few weeks. It appears to be serving its purpose.

    --
    “He’s not deformed, he’s just drunk!”
  9. The same company made an app that accesses it! by Pinkbunnyman · · Score: 1

    I'd be careful, I mean what if this one could read your email and send it to its parent company! The same parent company who installed an app without your permission on your android phone! I believe it's called "gmail"...

    1. Re:The same company made an app that accesses it! by _xeno_ · · Score: 1

      Niantic is no longer part of Google and hasn't been since August of last year. They split from Google and then had a fairly large investment from Nintendo specifically for the creation of this new Pokemon Go game.

      --
      You are in a maze of twisty little relative jumps, all alike.
    2. Re:The same company made an app that accesses it! by Pinkbunnyman · · Score: 1

      No company had ever kept links with its former associate companies right

  10. Confirmed "full account access" by Anonymous Coward · · Score: 0

    Spin all you like, but even the hearsay security researched accepts it has full account access.

    And a google search tells you what full account access is:

    "When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf)."

    "Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access."

    "This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet."

    "If you've granted full account access to an app you don't trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button."

    1. Re:Confirmed "full account access" by halivar · · Score: 1

      And what it does not include, as TFS says, is email.

    2. Re:Confirmed "full account access" by Anonymous Coward · · Score: 0

      No, the article says a security researcher claims that Google support told him that...

      The actual Google page on this says no such limit, and when you give Facebook or Linked in access to Google, it certainly sends out invites AS YOU to everyone in your email address book!

      There are other things the security researcher says that are flat out wrong:
      "does not mean a third party can read or send or send email, access your files or anything else Reeve claimed. It means Niantic can only read biographical information like email address and phone number."

      This is not true, the BASIC Profile access gives you that, the full access gives you that and full access! Note that the phone number comes not from the Google account but from the Phone its running on. So the security researcher is giving false information that is demonstrably false and misleading. i.e. he's spinning it.

      Google basic access profile yourself:
      "View your basic profile information: These apps have access to basic data from your account, like your name, email, gender, or country."

  11. Re:Gizmodo, no thanks by Anonymous Coward · · Score: 0

    Also, the *settings* in your google account said that Pokemon had access to your email.

    Not sure what other proof was needed.

    They may not have accessed it, because it wasn't designed to do this, but that's not the same as not *having* access.

  12. Permission Justification by Thelasko · · Score: 1

    I think app developers should write a short sentence justifying their need for the permissions they require. Some apps are just ridiculous. Why does a streaming audio app need to access my call history?

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  13. BS: these guys are reading your emails by DatbeDank · · Score: 2

    Pokemon Go is a psyops brought to you via the same data-mining shill that developed Ingress as well... Niantic, which was formed by John Hanke. Hanke was the original founder of Keyhole (which was acquired by Google, by the way...) a program that received a large chunk of its funding from In-Q-Tel, a government-controlled venture capital firm that, in turn, is supported largely by National Geospatial-Intelligence Agency (NGA), whose primary mission is “collecting, analyzing, and distributing geospatial intelligence.” Very easy to spot the true intent behind these 'games'.

    1. Re:BS: these guys are reading your emails by Anonymous Coward · · Score: 0

      Very easy to spot the true intent behind these 'games'.

      To make a metric fuckton of cash for Nintendo?

    2. Re:BS: these guys are reading your emails by laurencetux · · Score: 1

      No to make an English Long FrackTon of cash for Nintendo

  14. Re:What is this? by Anonymous Coward · · Score: 0

    Well, as a principled robber, and by that i mean a robber who will only attack manchildren playing Pokemon GO (FUCK YOURSELF) while ignoring anyone looking under the age of 18 and anyone who is female, i am very nuts about this game because it will basically make manchildren send themselves voluntarily to more remote locations where i can await them and take all their stuff. Better yet when they are too plastered to the screen to notice me.
    As far as kids go, i ignore them mainly because the pedophiles are in charge of that group, while rapists will be the ones in charge of waiting for females.
    Now you know why Pokemon GO (FUCK YOURSELF) is of such relevance and importance.

  15. "Perhaps people should be more careful ...." by Anonymous Coward · · Score: 0

    ... about believing what they read on slashdot, considering this is where I read the initial accusations 14 hours ago.

  16. A Google Company can access your Google Data! by Quantus347 · · Score: 1

    ...and everyone looses their minds.

    This is probably a Joker meme by now...

    --
    Common Sense isn't as Common as people think...
    1. Re:A Google Company can access your Google Data! by Anonymous Coward · · Score: 0

      It's not a google company it was a company google once invested in. I think it concerns a lot of people because they don't know how bad it it. They sign up for Linkedin or other social networks, and they don't realize it pulls their email address book, datamines the address book for links, and sends out invites pretending to be you to everyone of those people to invite them to join the network.

      What they don't then realize is it keeps accessing their account details, so every new person they contact gets the same treatment.

      I think most people think their email is their's and the massive access that Google gives goes hidden from them.

  17. iOS? Google account? by Yvan256 · · Score: 2

    Maybe my iPhone is too old, but what does iOS have to do with a Google account?

    And is a Google account needed to play Pokémon Go?

    1. Re:iOS? Google account? by Quantus347 · · Score: 3, Informative

      When you first log in you can sign in with either your Google/Gmail account, or else create an app-specific "Pokemon Trainer Club" log-in. Presumably doing the latter would not grant any Google Account access

      --
      Common Sense isn't as Common as people think...
    2. Re:iOS? Google account? by wwalker · · Score: 1

      You can also create an empty Google account just for silly apps like that, separate from your important stuff. Let them read emails from each other.

    3. Re:iOS? Google account? by thegarbz · · Score: 1

      Or not let them read emails from each other since that is not what the permission allows.

  18. Bad permission naming by SeattleLawGuy · · Score: 1

    Yes, there is no privacy. And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account. It sounds like somebody did that.

    The reporting error wasn't the blogger's fault; it was the fault of whoever named the permission "full account access." And it is still good that he reported it, because it highlighted a problem where the app programmer requested broader permission than needed. The blogger's confusion was understandable, and people should feel absolutely free to blog about their security concerns.

    The right thing is then to ask Google or the app owner before publishing an article in the real media. Gizmodo did the right thing: vetted it with experts and tried to get a statement from Google.

    --
    Real lawyers write in C++
    1. Re:Bad permission naming by mabu · · Score: 1

      >And privacy is already hard enough without naming permissions "full account access" when it does not include full access to an account, rather than to a certain subset of the account.

      Assuming "full access" means "all access" is not a mistake.

      It's probably a good idea to assume the worst in situations like this.

      The fact that "full" wasn't "all" and people assumed otherwise, may result in better protection of peoples privacy and personal information.

  19. Editorializing? by MrLint · · Score: 2

    "Perhaps people should be more careful about the accusations they make."

    Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.

    "Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information,"

    1. Re:Editorializing? by thegarbz · · Score: 1

      Perhaps what really needs to happen is better definition of what 'full access' means and that app should be more 'careful' about which permissions they request.

      Or perhaps the world should harden up and realise that the app installed on the phone is pretty much far more sandboxed and has far less access to information including the inability to read emails or other files than pretty much any PC program ever.

      People are afraid someone is going to infringe the privacy of their own shadows these days, but only through mobile because accessing internet banking and responding to phishing attacks on a malware infested PC doesn't generate news headlines like it did in the 2000s.

  20. Red Herrings by Anonymous Coward · · Score: 0

    Look deeper, this is just noise to try and shift focus away from Niantic/Google cause they are in bed with the US Govt and CIA via In-Q-Tel.

    1. Re:Red Herrings by Quantus347 · · Score: 1

      They are conspiring with Boeing, McDonalds, and the Illuminati to further their Chemtrail program!

      --
      Common Sense isn't as Common as people think...
  21. Careful about accusations? by idontusenumbers · · Score: 1

    Perhaps people should be more careful about what they name account permission settings.

  22. Ingress has had access for years by ItsPaPPy · · Score: 2

    Here is the proof
    http://i.imgur.com/TWOedY7.png

  23. Re:What is this? by BronsCon · · Score: 1

    Someone mod this AC troll insightful. We're already seeing this actually happening.

    In unrelated news, I've been driving a lot more, lately. I'm sure it has absolutely nothing to do with hearing about kids walking into traffic while playing Pokemon GO.

    --
    APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
  24. poor permissions nomenclature by google/android by Anonymous Coward · · Score: 0

    Perhaps this is google/android's fault? I think there is a lot of room for confusion due to the ambiguous way the permissions are described, they *seem* pretty broad and over-reaching to me in general (even if that's not the case or reality). Especially since many apps/daemons run quietly in the background and don't really ever go away.

    For example, I'll use a few of Uber's permissions as examples (not picking on them, just an example of a common app that has a lot of permissions; I've also included some items from Lyft and Facebook's permissions):
    1. "Directly call phone numbers + read phone status + identity". i guess customers need to talk to their driver every now and then to coordinate pick-ups? But (as worded) it does sound like maybe uber could access the names/numbers of all the people you ever talk to, uber-related or not, for marketing/analytics purposes.
    2. "Read your text messages, receive or send text messages". again, i guess customers occasionally need to talk to their driver every now and then to coordinate pick-ups? Or maybe send info to your friends if you use the social features and want to tell people when you're arriving? But (as worded) it does sound like maybe uber could just quietly read all your text messages, whether uber-related or not.
    3. Take pictures and videos" -- i guess if you want to add a photo of yourself to your profile? but i certainly wouldn't want them to surreptitiously take photos/videos for any other out-of-app purpose and send them back to uber HQ, and it doesn't say they couldn't/won't do that. (or Facebook "record audio" as a permission... same privacy concern)
    4. "approximate/precise location" -- presumably so drivers can find you or so the mapping will work properly. but it doesn't really say that they have to stop tracking you when you aren't actively using the app.
    5. "Read/modify your contacts" -- I guess some customers want to notify people about arrival times or do "refer a friend"-ish stuff? But as worded it seems like they just want to slurp up all my contacts for marketing/analytics purposes.
    6. "Read calendar events plus confidential information" -- Uber doesn't have this permission, but Lyft does. Not sure why Lyft would need this at all, maybe so you can get notifications of friends' arrivals, or maybe so they know how many cars will be needed after a concert is supposed to get out. But as worded, this sounds like they have full access to all my appointments, who/where/when i'm meeting, the subject matter of these meetings if available, etc. This sounds ridiculously invasive and anti-privacy. Or Facebook can "add/modify calendar events and send email without owners' knowledge", which sounds scary.
    7. "Modify or delete or read the contents of your USB storage" -- I imagine they need to store/access a few bits of data about me and my settings, or pick a photo/file attachment from my library. But as worded it sounds like they could read the contents of *all* my files (personal data, data from other apps) if they wanted to.
    8. "Add/find/remove/use accounts on device, read Google service configuration"
    9. "Full network access - internet, wifi, data"

    As an example -- I think with these wordings it makes it *seem* that if I had a confidential conversation with my doctor or lawyer, Uber/Lyft/Facebook/etc would be able to know about it (the time/date of the call, who i was talking to, etc), or perhaps even know the details (if it were included in a calendar invite, or if i had sent/received an attachment).

    (And the "Updates to app may automatically add additional capabilities within each group" language doesn't inspire confidence.)

    If they really don't intend for permissions to sound so intrusive and broad, I think it would behoove google to clarify/narrow the language of the permissions to put people at ease. And rather than giving all these apps permission to view all my contacts/photos/files/etc, only give them access to those few I explicitly opt-in to share with that app.

  25. National News Story... by Anonymous Coward · · Score: 0

    I'm just waiting for the headline:

    Tesla On Autopilot Kills Person Who Walked Into Road While Playing Pokemon Go

  26. That is absolutely true by wonkey_monkey · · Score: 1

    Pokemon Go Was Never Able To Read Your Email

    It certainly wasn't. I've never installed it.

    --
    systemd is Roko's Basilisk.
  27. NOBODY EVER GAVE A FUCK by Anonymous Coward · · Score: 0

    This is CIA obfuscation technique. Same story, extrapolate and tire people out hoping they don't see the actual comments that matter.

    1. Re:NOBODY EVER GAVE A FUCK by Anonymous Coward · · Score: 0

      exactly. look how long the fucking summary is.

  28. could not isn't did not by Anonymous Coward · · Score: 0

    So, perhaps some people should be more careful with their wording?

  29. Perhaps... by Khyber · · Score: 1

    "Perhaps people should be more careful about the accusations they make."

    Perhaps fucking companies should be more careful and less lazy about the boilerplate bullshit they throw in, and actually bother to write a relevant fucking EULA/ToS for their software.

    And perhaps you should shut your whore mouth, manishs.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Perhaps... by Anonymous Coward · · Score: 0

      Awwww, Alex's skinny ass is attached to a big fat mouth. If you got into a fight with an eight year old, you'd get your ass kicked, you sissy piece of shit.

    2. Re:Perhaps... by Khyber · · Score: 1

      Big words from an AC that's too fucking fat to get up from behind their keyboard.

      And you're not as anonymous as you think - your vocabulary and typing mannerisms give you away you furry fuckwit.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    3. Re:Perhaps... by Anonymous Coward · · Score: 0

      You are a funny little man so far off the mark... much like your commentary on most issues. How can someone so fucking stupid think he is so smart?

  30. Competency Question by EndlessNameless · · Score: 1

    If an established security researcher can't figure out what permissions an application is requesting, maybe Google needs to work on their UI.

    On the other hand, maybe the guy is just an idiot.

    I'm not into Pokemon, so I don't know exactly what it displays during installation.

    --

    ---
    According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
  31. It has Officially been Patched. by Quantus347 · · Score: 1

    The first patch went live about a hour ago, and included a fix to the Google Account scope.

    http://www.popsci.com/pokemon-...

    --
    Common Sense isn't as Common as people think...
  32. Re:What is this? by mabu · · Score: 1

    There's more substance to the article than there is inaccuracy. It may be true that the app doesn't have access to a person's gmail account, but the privacy policy makes it clear users should have no actual sense of "privacy" for the data that is collected:

    “We may disclose any information about you (or your authorized child) that is in our possession or control to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate”

    On top of that all versions of the app request access to a person's contact database, which does contain a tremendous amount of information that is totally not relevant to game play, including e-mail addresses of everybody in a person's contact database. In this manner, even if you don't play the game, if someone does who has your personal info in their contact list, then your privacy has been compromised as well.

  33. erroneous?? by RIPgriggs · · Score: 1

    "Pokemon GO account creation process on iOS erroneously requests full access permission for the user's Google account." Yes everyone, please believe us that it is "erroneously" requested. and once we have permission from all the IOS users, because of this erroneous request.... PLEASE BELIEVE we will not use those permissions to violate you. "However, Pokemon GO only accesses basic Google profile information (specifically, your User ID and email address)" yes, PLEASE TAKE OUR WORD ON THIS "MISTAKE"