Remember when you downloaded that hot new app called Pokémon Go three days and thousands of hours ago? Remember when you had to sign in with your Gmail account because you probably didn’t have a pokemon.com username?
Unfortunately, if you’re playing the augmented reality superhit on an iPhone, this seemingly standard practice may have handed over full access to your Google account ― and all the data in it ― to Niantic, the creator of Pokémon Go.
RedOwl’s Adam Reeve first reported the “huge security risk” several days ago, after he discovered the app had been granted full permission to his Google account. With such access, Pokémon Go could theoretically read all of your email, send an email as you, look at your search history and access photos you store on Google.
Niantic erroneously requested such permission from some iOS users, but Pokémon Go “only accesses basic Google profile information (specifically, your User ID and email address),” a Niantic spokesperson told The Huffington Post.
“No other Google account information is or has been accessed or collected,” spokesperson Sibel Sunar said in an email. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access.”
Sunar said Google will soon modify permission to only request basic profile data.
The permissions issue has only been reported for the iPhone app edition of Pokémon Go, and only for some iOS users. I checked my Gmail account on Monday evening and saw this message after downloading the app when it first came out in Australia last week.
You can check your Gmail permissions here and revoke access for the applications that’ve gotten a little too cozy with your data. Niantic says users won’t need to do anything after Google deploys its fix.
As several news outlets have pointed out, users are usually notified before an app gains access to an account like Facebook or Gmail. But, as Reeve found, Pokémon Go definitely doesn’t do this.
Google has cautioned users to grant full account access only “to applications you fully trust.”
“Please be aware, however, that no method of transmitting information over the Internet or storing information is completely secure. Accordingly, we cannot guarantee the absolute security of any information.”
More stories like this:
- You Can Hire A ‘Pokémon Go’ Trainer For $20 An Hour Because The World Is Good
- If You Hate Fun And Pokemon, PokeGone Is The Chrome Extension You Need
- 7 Places Where You Shouldn’t Play ‘Pokemon Go’
- ‘Pokemon Go’ Is Already Destroying Some Of The World’s Biggest Apps
- 8 Times The Internet Tried To Explain The World With ‘Pokemon Go’
- Forget ‘Pokemon Go’ And Try Geocaching, A Worldwide Scavenger Hunt