Pokemon Go has become a cultural phenomenon in a matter of days, prompting millions of (Tinder-crushing) downloads and adding over £5.4bn to Nintendo's market value before it's even been released in Europe and Japan.
The world hasn't gone so crazy for Pokemon since some card trading game you might vaguely recall from your school days.
But beneath all the cheerful Squirtle-chasing there appears to be some pretty alarming security issues. Developer Niantic Labs asks that new users sign in with an account before they play the game. Nothing unusual about that. But as noted by researcher
Adam Reeve in a Tumblr post, rather than setting up a new account you have to sign in either from pokemon.com or Google. The Pokemon website isn't currently accepting new signups, so if you don't already have an account with them it has to be your Google log-in.
Now, usually when you install an app it will request a certain degree of access. Both Reeve and
The Verge report that Pokemon Go has full access to your Google account, and does so, they note, without notifying you.
https://twitter.com/gameinformer/status/752580058561282048
Here's a breakdown of what full access includes (clue: quite a lot):
So while Niantic and Pokemon Go can't pay for anything or alter your passwords, they can view and send emails on in your name, edit or delete your Google docs, look at your search history, stored photos and more. You can revoke permissions
here, which, according to The Verge will automatically sign you out, but shouldn't otherwise affect the app's functionality.
The point of Reeve's post isn't to assume that by not properly outlining their access permissions Niantic are shadily planning to exploit the privacy of millions of users. But if their security isn't tight enough they could be a prime target for hackers.
The Verge contacted Niantic Labs for comment, but did not immediately receive a response.
