Search News Articles

Pokemon Go maker: Coding error gave company access to your emails

Note: this is a reprint of July 12, 2016, CNN article. The original article can be found here.

The makers of Pokemon Go -- the insanely popular smartphone game -- were forced to make emergency fixes to the game because the app gave the company an unprecedented level of access into players' personal lives.

For some users with iPhones, signing into the game with the most convenient option -- using your Google account -- allows the gaming company to read your emails.

That's because the Pokemon Go app gets "full access" to your Google account. It's something most apps don't dare demand.

Google settings state that "full access" means Pokemon Go "can see and modify nearly all information in your Google Account."

That includes access to email, according to Google.

Niantic, the game's developer, acknowledged the coding "error" on Monday.

In a statement late Monday night, the company said it sought only minimal information -- a person's unique player ID and email address. But "the Pokemon Go account creation process on iOS erroneously requests full access."

Niantic promised it will not use this supreme access of personal information and said it has started working on a fix to reduce the user permission needed to play the game.

"Google will soon reduce Pokemon Go's permission to only the basic profile data that Pokemon Go needs," the company said.

Niantic was forced to admit its mistakes on Monday after computer security experts realized that the video game gets a rare level of access to your Google account.

Adam Reeve, a computer security expert at the cybersecurity firm RedOwl, was the first to discover this.

"This is probably just the result of epic carelessness," Reeve wrote in a blog post Monday. "I don't know how well they will guard this awesome new power they've granted themselves... I really wish I could play, it looks like great fun, but there's no way it's worth the risk."

Google settings even warn users against granting this degree of trust on its settings page: "This 'full account access' privilege should only be granted to applications you fully trust."

Nintendo of America directed questions to the Pokémon Company International which refused to comment.

"A game shouldn't require this amount of access to your data," said Mark Nunnikhoven, a computer security expert with cybersecurity firm Trend Micro.

Since the game was released last Thursday, it has been downloaded on Android and Apple devices more than 5 million times.

In The News is brought to you by WinMill Software, the premier resource for systems development and integration, expert consulting, quality assurance, technology infrastructure, and software resale. For more information, contact a WinMill Account Manager at inquiry@winmill.com or 1-888-711-MILL (6455).