Hacker News new | past | comments | ask | show | jobs | submit login
Pokemon Go is a huge security risk (adamreeve.tumblr.com)
780 points by patchoulol on July 11, 2016 | hide | past | favorite | 251 comments

It's worth noting that Niantic Labs (the folks who licensed Pokemon from Nintendo and made Pokemon Go) are actually owned by Google [0]. This is Google giving itself permission to do Google things. Dollars to doughnuts they tried to use some internal-only API because things kept falling over at pokemon.com. Is this a massive UX failure? Certainly. Is giving Google permission to access Google stuff a "Huge security risk"? No more than putting your stuff in Google's hands in the first place.

Niantic are also the folks behind Ingress, if you've heard of that.

[0] Specifically, Alphabet owns a significant portion of Niantic, along with Nintendo: https://nianticlabs.com/blog/niantic-tpc-nintendo/ (they were previously wholly-owned by Google).

I really disagree with this.

Google has extremely strict safeguards in place to prevent eg. employee Joe from accessing ex-girlfriend Mary's Gmail. Very few people would have full access to individuals' Google accounts. This kind of privacy breach would be very damaging to Google.

Niantic is a tiny startup with around 50 employees. I would expect most developers within the team would have full access to the production database, or would be given access if they had a need for it. It's unlikely that there's any oversight over who can access data - it's just a 'game'.

Where are their backups stored? Are they encrypted? Who has access to the decryption keys? We don't know, but I would bet any amount of money that their systems are vastly less secure than Google's are.

The relationship between Google and Niantic isn't relevant as to whether they are capable of keeping these credentials secure.

> Google has extremely strict safeguards in place to prevent eg. employee Joe from accessing ex-girlfriend Mary's Gmail

I know a bit about google's internal privacy safeguards (including how long they've been in place), and I know a bit (nothing that wasn't in the news) about the NSA's internal privacy safeguards from a certain point in time.

Obviously I don't know what it's like at the NSA today, but it's worth laughing (or crying) at the fact that there was a time when Google placed more restrictions and security in place to protect its users from rogue employees than the NSA did.

Not to get too political.

That's because the NSA does a lot more thorough background checks and has a nation-centered mission, while Google hires people relatively unchecked and of all nationalities and all over the world.

And in terms of abuse (i.e. LOVEINT), which strategy do you think has proven to be more sound? Hiring only good people, as verified by a thorough background check? Or hiring probably good people, and then using robust checks and balances anyway?

Even if they are a startup within Google, what does that mean for my security as a user?

Do they store this API key with full access to a Google account the same way that an official Google app (e.g. Gmail itself) stores my secret data? If so, I probably trust it. Or do they just throw it in a GCE database without a whole lot of thought around a security policy since they're still a fast-moving startup, and maybe my credentials get logged somewhere, or synced to an analytics system that's not treated as classified and a whole bunch of employees can inadvertantly access, etc

Seems like I have no way of knowing (unless maybe it's in their terms of service?). It could very well be a "Huge security risk"

You're absolutely right - Niantic's history with Google does not preclude them having crummy security practices that we aren't aware of.

However, "Popular thing possibly has crummy security practices (we just don't know)" isn't HN-worthy, it's just FUD. I think both of us would prefer a HN full of well-researched articles over one full of clickbait FUD.

>However, "Popular thing possibly has crummy security practices (we just don't know)" isn't HN-worthy, it's just FUD.

Bullcrap. Best security policy is trust, but verify.

Assuming that well established businesses have good security practices without doing proper review is what allowed all those fraudulent SWIFT transactions to go through a few months ago. It's perfectly valid to ask why the hell Pokemon Go thinks it needs access to your private email.

Actually, that's all there is to "research" about this topic, as there is nothing available to read around what they could possibly use the full access tokens in any terms of service or application literature.

Not FUD to me. I am not going to install Pokemon Go until this is cleared up. I am glad he pointed it out, since I may have clicked through given I would have made quick judgements about them being Google-owned.

One thing the article is wrong about is that you can create a new account a pokemon.com (bypassing the google kerfuffle). You just need to keep reloading until it let's you past the "try again in an hour" message.

May or may not be an issue for you - affects iOS only, if I'm reading this correctly.

They were an Alphabet company, but were spun off last year: https://www.theguardian.com/technology/2015/aug/14/niantic-l...

They are still majority owned by Alphabet, they just spun it off so they could take VC and Nintendo money

Right, so not only did they spend a significant amount of time steeping in Google itself, the big G then invested a significant amount of cash into the now-spun-out company. I'd say that qualifies as 'owned'.

How does that make the permission creep OK? If they were part of Google, and already had access to the data, that's one thing. But they aren't, and they don't.

Even if Google Inbox were asking for full permissions I'd be extremely sketched out about that, but it wouldn't happen because Google developers are, by and large, on top of things.

A third-party company, even with significant investment and history with Alphabet, requesting full access to my Google account despite needing ZERO access (i.e. for what they need, requesting no permissions would suffice) is sketchy and inherently untrustworthy.

Well, at least a stockholder. Which is nothing like complete ownership, especially considering Nintendo is the other elephant with equity.

Google's own apps often don't request this much permission. Basic security principles.

Correct. Google Drive, for example, requires fewer permissions: https://pbs.twimg.com/media/CnG3kslW8AA1iZM.jpg:large

If you connect Chrome to your account it does get full permissions for some reason. Perhaps Chromebook-related?

Pretty much. Google was trying to cram the entire Chrome OS platform in their browser a while back (remember Chrome's Windows 8 mode?), although they've kind of taken a step back from it lately.

Niantic Labs became independent from Google during the forming of Alphabet so it is to say you are still giving an independent third party access to your google account.

This doesn't mean shit. You still give another legal entity access to your data. Different company, different people, different management, different EULA.

I saw the prototype of Pokemon Go in 2014 as an April 1st campaign by Google Maps, surely this is a very tight bond with Google. I won't worry about it either.

>Dollars to doughnuts they tried to use some internal-only API

Not at all necessary for this situation to occur. I just finished implementing a system (nothing to do with Pokemon) that also requests permission from external sites in a similar way. The mechanics for doing this are fiddly and checking this is actually set up correctly is likely well down the priority list provided things at least appear to work.

It is entirely possible that someone who had never done it before set it up in a hurry then everyone in the dev team just blindly clicked through without ever properly reading what was being requested because they were all in a rush to finish their stuff.

Most tech people realized 20 years ago email is a terrible place for confidential information unless you have OPSEC and use PGP. If you trust your plain text email traveling around the world and stored in Google's cloud it seems stupid to worry about someone accessing it.

Also Gmail allows you to create more than one account. Instead of all this alarmism in media just tell people they should create a separate account in Gmail just for games instead of using the one you are worried about some big billion dollar company accessing it (which they already do).

Interestingly, it does not work on Android Nougat.

Yea but it had to work on iOS..

Genetic Fallacy

Update from Niantic in this Game Informer article http://www.gameinformer.com/b/news/archive/2016/07/11/pokemo...

"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. However, Pokémon GO only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."

I actually just finished wrangling social log in for a system that is waaaay less popular than Pokemon GO. Rather amusing to see an organization operating at a vastly bigger scale still hitting the same sorts of speed bumps.

Impressed by the quick turnaround on this!

If google auth as a platform grants full access to your google account without any sort of confirmation, isn't that the security risk? Whether or not it's intentional or malicious on the part of Niantic, that seems like the real problem here.

Yes! I did notice there wasn't a "This app will have access to…" screen when I signed up (I've never seen that before), but that just made me assume they were asking for like the absolute minimal permissions possible or something.

"[random game on a whim] has Full Access to your Google Account" is scary

To my knowledge, this is known bug in iOS that the Google auth grant inadvertently gives all permissions. You'll note that other users below report this only happening on iOS and not Android which shifts the risk away from Niantic/ Pokemon Go and towards Google itself, as you've mentioned.

How could iOS be responsible for the auth between two third-party services?

Isn't it more likely to be a bug in the iOS version of Pokemon Go?

They probably meant the Google Auth library for iOS.

Yes, thanks for clarifying.

Yeah, I had no idea when I signed into Pokemon Go with my Google account that it was doing anything scary. I didn't even consider it would be granting full access to my account. It's almost like Google treats that as the default case, and it's an exception that they style differently when the app requests a particular scope to limit its access.

Yeah, I agree. I strongly suspect that the scope of permissions requests was an oversight (e.g. Just ask for everything now, we'll pair it down once we know what data we need). Additionally, while I don't like the idea of having Niantic having access to my entire Google account, let's remember that Niantic started as a Google company, and is now under the Alphabet umbrella, so have a vested interest in keeping things on the up-and-up. Lastly, Nintendo is up 35% thanks to this game (about $7B), and I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact. My money is on "bad development process and oversight", and this is just one of many rough edges that I've already noticed in the software.

> I strongly doubt that there is anything they could gain from scraping/abusing these Google accounts that would come even close to that type of impact.

I'd have said the same about VW's emissions cheating scandal before it broke.

Hanlon's Razor

So here's the interesting thing... apparently if you sign in with the same google account on another phone, you have to start over as a new player.

Not true, don't worry :)

Not true at all. I've wiped the app from multiple devices and accounts today and it's always restored the player's progress after you log back in.

This was the case on an android phone using Google login. His nexus 6X was on a beta build so he was unable to install the app. He started playing the game on an older device while he downgraded his 6X. After it was complete, he logged into his 6X using his google credentials and it prompted him to start over.

Probably because he was previously playing the Pokemon Go field test. All of the field test data was wiped, accounts and all. Everyone started over.

I've gone between three phones this week for various reasons, and this has not been an issue.

Seriously? What happens if I delete the app? Do I delete all of my progress?

Then you reinstall and all is fine. I went from using it on my Nexus 7 to my Nexus 5X and all of my progress was there.

I've yet to try that, but I can. I'll report back in a few. Having trouble logging into my iPod... will see if I can get my coworker to remove it from his older device.

And just like that I will never sign in with Google anywhere ever again. I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.

In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.

Unlikely though considering they used to be a part of Google.

This is a fundamental security issue due to a combination of the OAuth protocol and UIWebView (and whatever the Android equivalent is), which I've posted about before [0]. Basically, the problem is that OAuth depends on web-based access granting, but an app has full permissions over the DOM of the WebView where the OAuth screen is. So you're entering your password into a WebView of a third party URL, but unlike a traditional safari page, the WebView is fully "owned" by the app, so the developers can inject arbitrary code into the DOM of the third party website.

There is no technical limitation to an app engaging in very nefarious activity. For example an app could modify the DOM on the sign-in screen to grab your password after you enter it. Of course the accountability of MITM and security reviews might mitigate this risk, but passwords are generally only a few bytes and could easily be obfuscated and passed surreptitiously over the wire.

I've seen a (quite popular) app implement this for facebook invitations, which should only have a limit of 50 friends, to secretly (in the background, without any action on your behalf other than logging in, or perhaps pressing a "continue" button) invite every one of your friends to download the app. Since facebook does not notify you when you send an inviation, you would not even know the app did this unless one of your friends who you invited asked you about it.

[0] https://news.ycombinator.com/item?id=11637209 (thanks molecule)

In iOS 9 there is SFSafariViewController which doesn't give such control.

Some providers (e.g. Fitbit) require you use this instead of UIWebView in order to access their API, presumably to avoid accessing the DOM.

Not sure exactly how they are enforcing this though, since they don't provide their own OAuth library.

Yeah, you could always override the method in the Fitbit library that implements that requirement.

> how do I permalink to a comment?

The comment's timestamp is a link.

> the WebView is fully "owned" by the app, so the developers can inject arbitrary code into the DOM of the third party website

Uh, seriously? I just suggested to our mobile team to integrate this way on Android (I implemented the OAuth 2 server).

I would've made the same suggestion to a 3rd party app vendor when the day comes.

A Chrome Custom Tab is probably the better way to go.

In summary, if you give a nefarious app your password it can do a nefarious thing?

I'm curious how exactly this is specific to the UIWebView implementation.

It's because the app has access to and control over the DOM of the UIWebView. Suppose some app called EvilGameFoo is asking you to authenticate with your Google account. They should kick you to a UI controlled by Google, which EvilGameFoo cannot in any way inspect or access, where you enter your credentials. Google then tells EvilGameFoo that they can vouch for you. Instead, UIWebView lets the app asking you to sign in via an identity provider inspect the DOM of the UK where you enter your credentials. Hence it lets EvilGameFoo read your password.

How are you supposed to know that it is actually a UI controlled by google and not a simulation of a UI controlled by google?

The OAuth model not only enables phishing directly even worse than that, it disarms people's natural skepticism towards phishing attempts. Its adoption was a terrible idea.

Well, on the web you're generally following redirects to a URL. You can verify the owner and authenticity of the host. (A phone app could kick you out to a browser app (not a web view) to authenticate.) Then after you've signed in and granted permission on, say, Google, Google will redirect you to a URL that the other app configured with Google. On a phone that URL should have a host or protocol that the app has registered with so your phone's OS will kick you back to the app after you signed in on the web browser.

Of course, you're absolutely right that it would be trivial to spoof, say, Google or Facebook or Twitter and collect credentials. I would _hope_ that behavior would be detected by Apple or Google during app security screening, but maybe not. Regardless, I totally agree with you about OAuth and security. It does present a lot of problems.

Google could send you a confirmation email which is the second factor in this oauth flow. It makes it more annoying, but more secure. It's always a trade off I guess.

> How are you supposed to know that it is actually a UI controlled by google and not a simulation of a UI controlled by google?

I have a certificate signed by Symantec guaranteeing that it's authentic!

Right, but what if they didn't use the UIWebView tactic and instead used custom chrome to submit the data. Couldn't they just tap it at that level?

Outside of the Android model where it does the auth for you upon request and only hands the app a token, I don't really see how you don't open yourself to this attack.

iOS really doesn't provide a way for other vendors in an inner ring of consumer trust and power to deal with this. While I'm not a fan of the decision to give full access to Pokemon Go, I didn't find it surprising that it did so on iOS and I had to make a conscious decision to "trust" Pokemon Go as part of the process.

Oh yeah, for sure, there are plenty of other ways a nefarious app could scrape a user's credentials during OAuth on iOS.

If UIWebView didn't allow the app access to the DOM then it wouldn't be possible this way. But,of course, the user has no way to know how the UI is implemented.

If an app does this, won't Google revoke their API key?

They have to detect it. The app could quietly collect credentials for months/years, and revoking the API key won't change those passwords.

> In my dream world Google would revoke Niantic's API access forever in order to make an example out of them. Maybe, eventually, if they can prove that they didn't hoover up all the information they had access to they can be unbanned after a year.

I'm really glad you're not making that decision then. Banning some company based on their use of public, legal APIs would be an absolutely toxic decision for Google's platform.

It's Google's fault for allowing this kind of access with no notification (yes, the fault here might lie somewhere in OAuth, but there's plenty that Google could do to make this less serious). Don't blame people for leveraging options at their disposal.

Elsewhere in the thread it is alleged that this is a bug (or misbehaviour) with Google's iOS authentication library. It's possible that Niantic is not requesting any permissions and the library defaults that to 'full access' and not 'no access'.

I've yet to see it confirmed, though.

This issue only affects apps though. When granting OAuth permission via the web, you are actually redirected to google's website, and then afterwards redirected back to the site you were on.

Google recommends using the browser workflow for installed apps too.


Which probably isn't very helpful, as lots of users won't notice whether they are using a browser or not.

Does anybody know how Pokemon Go ends up interacting with accounts that have 2 factor authentication turned on? I sure wouldn't type my main password into some app, I'd at least use an app password:


2 Factor works. I'm forced to log back in when ever there is server troubles, which is annoying, but what ever.

Did you try using an App password? Doesn't seem to work for me

No I haven't tried it.

The other day someone's web app I clicked on, and it automagically signed me in with Google and added itself to my connected apps. Cloudcraft.co, I think it was. When I hit their signup link, it auto-signed in with Google without me even clicking their Google button.

After I disconnected it, it didn't behave that way a second time. So I am kinda mystified what happened there. But it was pretty strange.

Could the app be intercepting the confirm screen and auto-agreeing w/o user interaction?

I am very hesitant to accuse the app of doing something intentionally shady like that. I don't really :know: what happened, and I couldn't replicate it myself after removing the app from my account and visiting it again.

> I just assumed that an app couldn't grant itself full permissions without notifying me, but now I can see why that might not be the case since they are free to present whatever UI they want in app.

Is that the case? Doesn't this still require going through the standard prompts?

Anecdote: On Android 6.0 the Pokemon Go game requested 4 permissions on first launch. Account, Camera, Storage, and one other I believe. I had to individually approve each one.

That's just access to your phone, not your Google account. Those permissions don't cover the app's ability to read your email.

I also do not have an entry on my Google permissions page (https://security.google.com/settings/security/permissions?pl...), this appears to be an iOS only bug, explaining why no Android user can recreate this bug

I can verify this. I logged in with Google and see no permission given to the app.

I do have an entry on that page!

"Pokemon Go Release - Has full access to your Google account"

Revoking access now. Glad I read HN!

According to the article, it does not.

or just use a burner email for stuff you don't trust

"Pokemon Go Release" has "full access" and yet "Ingress" (a game very similar to Pokemon Go from the same company) only has "basic account info". I removed the access and when I started the app, it crashed right away. (I'm on iOS, by the way.) Subsequent launch I'm stuck on the "LOADING..." screen, and then it says "Failed to get player information from the server." I hope the servers are just down and I didn't lock myself out. (Or maybe I should be glad until this fix this breach.) Edit: Deleting the app and reinstalling allowed me to log in again.

It appears to be the iOS version only that's doing this, according to this article:


When I checked this morning Ingress also had full perms. I revoked and reconnected and Ingress only had basic account info. I was also queried appropriately.

Possibly this was fixed on Ingress sometime in the last X months but not on Pokemon Go.

Same here. I granted Ingress access in Nov 2015

When I signed up, it only said basic account info or that they'd like to know who I am. Nothing else.

Apparently Google Maps also has full access to your Google account: http://sanziro.com/2016/07/pokemon-go-has-full-access-to-you...

I don't see any access granted to Pokemon Go (it's not even listed) in the "Apps Connected to your Account" page: https://security.google.com/settings/security/permissions

I am running on a Nexus 6 and signed in with my Google Account when I first launched the app.

Try revoking access and see what happens. Worst case, it might ask you to sign in again.

on iPhone 6s, checked and saw it had full access. I revoked access and opened the app up. It was stuck loading so I logged out and back in. Went back to check app permissions on google and it had full access again.

Wait, you revoked access from within google, and then the pokemon app was able to give itself access again without asking for permission?

Yes. I'm not sure if I need to re-log in the app or not though. Maybe if it didn't freeze and I didn't have to re-log then it might have left the access revoked. But it seems that once I re-log the full access goes back into effect.

re-logging in is re-authorization

if true, something is seriously messed up

It's possible it only does this on iOS, because I signed up normally using iOS and I see this at that link:


Just chiming in that I am another person (using a OnePlus One with cyanogenmod) that does not even see pokemon go in my "Apps Connected to your Account".

According to an update posted now on the article, the problem is only on the iOS version

I also don't see any access granted to Pokemon Go, I signed in on my nexus 5x and was also in the field test.

On my iPhone 6s, it shows full access.

Screen: http://imgur.com/YX9K8Ds

Yeah I'm on a Galaxy S7 and signed up with my google account as well and see no mention of it on my connected apps page

Same here. I recall a "give pokemon go access to your google contacts" dialog (or similar), which I denied.

Same here. I guess "gotta catch 'em" all means something else in this instance

Same here, OnePlus One running CM13, I can't see it in the list (neither release or the previous field test).

I also don't see any app access granted for Pokemon Go under my LG V10 and Google account.

I also do not have a Pokemon/Niantic entry in my list there. No idea what happened for OP

ditto. Recent android phone. This worries me almost as much as the full access issue, cause I definitely signed it to my google account via the app yesterday.

"[T]his section of the privacy page on the Google account settings website is only showing up for those that have played on iOS and signed in using the Google button. Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress), so we’re not sure yet if those users have trusted Niantic with their entire Google account as well." source: http://9to5google.com/2016/07/11/psa-pokemon-go-full-access-...

> Android users who used the same login method are not seeing the “Pokemon Go Release” at all on the permissions site (nor do they see Ingress)

This is interesting, I can't test this myself as I have previously played Ingress on both iPhone and Android.

My Android device is mostly for development/testing, so I'm not nearly as regular a user of the platform as I am for iOS.

Could any Android users comment on if this is normal to not see Android apps like Ingress on this authorization list?

I've never played Ingress, but I've played PGO for android. Google account settings (https://security.google.com/settings/security/permissions) shows an empty list for me.

Yeah it's not showing anything in my google app permissions. I assume it signed in using google play services (it was automatic, I never selected anything), and that's where the in app purchases seem to go.

Caveat: I've seen a number of players state or imply that playing this game has been the first decent exercise they've had in years. Lack of exercise is a far greater threat to your well-being than having your Google account hacked, so if that's what it takes, go ahead and play the game anyway.

> Lack of exercise is a far greater threat to your well-being than having your Google account hacked...

This is by no means universally true. Plenty of people get enough exercise outside of the app, and plenty of people have Google accounts for which compromise could be very significant.

It should at the very least be disclosed in the OAuth flow that I'm giving away admin rights to the app. Facebook's flow won't even let me give away my email address without an explicit decision to do so. The current silent-but-deadly flow is inexcusably risky.

Pokemon Go, like most apps, is likely just a fad. In a few months, only a few thousand die hards will still be playing it. But the full access permissions will still be there.

That's what my parents said 20 years ago... hasn't died yet

You should try the Go game. It may have some lasting power I haven't seen yet, but its not the normal Pokemon game by any stretch. The core gameplay is actually pretty boring once you've done it for a little while (i.e. once the initial euphoria of catching things wears off).

Oh I have been playing and while it is far inferior to the core Pokemon gameplay, I have met over 30 new people because of this game in less than a week. People who I've never talked to at work, I am now talking to.

I have honestly never used an app that has brought me closer together to the people around me. I don't see this being a fad.

Point. If you use a lot of things that require access permissions, maybe it should be part of your spring cleaning or some such to look through what you've given permission for, and cancel anything you haven't used in the last six months or whatever.

Full access is bad enough, but the really dodgy thing going on is that you never get asked to approve or deny that access for Pokemon Go when doing the OAuth flow. You just log in, proceed through 2fa, and you're magically logged into the app. Pokemon Go Release then shows up as an authorised app... except I never authorised it.

My theory is that they're injecting JavaScript into the web view to automatically press the 'Approve' button and hiding that from the user. If true, that's very worrying. They'd be effectively circumventing the whole OAuth framework by forging the user's approval of the app. Every user should have been asked up-front whether or not they wanted to approve or deny Pokemon Go's full access.

I spoke with a friend of mine at Niantic. They are in communication with the oauth group at Google, and are fixing the issue.

Can you also tell them to read a few Reddit threads, or Twitter? There are many, many issues which will limit the lifetime of this game.

I know Google lets you see which apps are connected to your account via https://security.google.com/settings/security/permissions but is there any page where I can see what activity was done on my account by particular apps?

A lot of aspects of Pokemon Go are less than polished from an app dev perspective. The way they ask for device permissions doesn't follow best practices at all (no explanation of why they need them). The interface has too much explanatory text in some places (how much useless backstory did I need to click through to start playing?) and not enough in others (it took me forever to figure out what I was supposed to do once I found a pokemon). My sister-in-law was complaining about how all the pokemon graphics are very 2D, when they could easily have sprung for some shading or shadows.

I suspect they built an MVP and launched it and it happened to take off, and we'll see some more polish in the future.

For this particular issue though - I'd bet that Niantic has some sort of data-sharing agreement with Google, anyway, making this point moot. They started as an internal startup at Google, and they make really heavy use of the Maps & Places APIs that would probably cost a fortune if they didn't have some sort of bulk data sharing agreement.

There are enough kids playing this maybe the FTC will get involved. Maybe some sort of basic privacy requirement.

How is it possible that signing in didn't inform me what permissions I was granting? I didn't think I was giving anything except my email address.

Kids (under 13 in USA, under 16 in Netherlands) aren't allowed to have gmail accounts AFAIK


That's due to a Clinton era law Children's Online Privacy Protection Act of 1998 (COPPA). It forbids companies form collecting personal info from children under 13 without their parents permission.

What's funny is that nobody seems to provide a workflow to actually create accounts for kids. I want to set up a supervised google account for my son for hangouts et al... and I have no idea how. I guess that's not a thing.

It is for some services/websites that have policies in place. Google probably doesn't care enough to have a process, not worth it for them.

Since I can't edit here is an example:


Google doesn't care because it takes more effort for them to obey by the law than its worth for them at this time.

Haha, I remember getting this signed and then faxed by my dad when I was like 11. Funny seeing it here because I first learned HTML from Neopets (anyone else?). HTML brought me to javascript and computer programming in general. 15 years later, that form is still up and I guess kids are still playing Neopets. And now I am here, weird.

>I want to set up a supervised google account for my son for hangouts et al...


Same reason I have a landline, so he and his friends can talk. He's 8.

That's their stated policy, but we've previously been able to get an under-13 child account though support by verifying parental consent, which is all COPPA requires in the U.S.

Kids know they have to lie about their age online to get access to anything worth having. My 9-year-old has been doing it as long as she's been allowed to use the internet.

Yes, so if the age is under 13 the "Google" option to signup is disabled. So you are forced to use the "Pokemon Trainer" account which I know nothing about.

The FTC is already involved by default: https://en.wikipedia.org/wiki/Children's_Online_Privacy_Prot...

I have no comment as to whether this is a violation or not; I know nothing about Pokemon Go. I'm just pointing out there is already extensive regulation here.

Right, I meant I hoped they'd actually do some saber rattling or action.

When you first sign up you have to enter your age, I don't know if there is a minimum age for the game. As an adult I'm old enough to get through that prompt.

> I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.

Why not just create a separate google account if one's so eager to play?

Seriously; I created one just to avoid entering 2fa every time servers go down.

The pokemon trainer site does work, just requires a lot of refreshing...

I tend to trust easy to revoke, well tried auth mechanisms over someone's home-grown version—especially judging by e.g. playstation network's terrible history. I simply don't trust Nintendo to not require me to reset my password with a breach, and I'm lazy as hell.

Yikes, I had no idea who Monte Davidoff was. I've actually read his floating point routines! This is embarrassing; I wish I could edit my other post still.

Anyway, my point stands—Bill started as a coder, good enough to code on the pdp-11(?); Steve never was one.

Or just sign in with your e-mail address. It's an option provided by the app.


I did, it's incorrect. New accounts are being accepted.

Who uses their "main" Google account for these one off services anyway? I can't imagine it would be too popular to keep pseudo-anonymity. you don't want to post lol cats from the same account you use to send your resume, I would think.

Is that a rhetorical question? Probably 99% of people playing this game who sign in using Google use their main (only) Google account. I'm sure it never even occurred to them to make a second one for something like this -- that would just be a hassle.

Why should I? Why should this be legal in the first place without asking my permission?

Isn't Niantic actually affiliated with (part of?) Google in some way? So it would seem natural, if odd, that it doesn't ask for full permissions for the account is actually already has full permissions to. In the same way google docs doesn't ask, but gets, full permissions to your google account, or google+ doesn't ask, but gets, full permissions to your google account.

Google no longer owns Niantic

Well then that is a strange security lapse on Google's part. A spin-off company that had internal high-level access privileges, is spun off, and can still retains those high-level access privileges? That seems like a mistake somewhere.

I don't think there are any internal privileges involved here. Why do you think so?

You can make an app that does the same thing right now.

What are you talking about?

It's developer laziness.

I don't know the android ecosystem well. Can any random app ask for and be granted full access without informing the user of that elevated access request?

That is a feature of the Google sign-in system.

The security policies for that sign-in system are not as granular as Android's security policies.

Normally an app would request permissions at run-time or install-time.

Not fully, but they're still very much involved. Money talks, and they're invested.

Here I thought the article was going to be on how Pokemon Go encourages people to wonder into dangerous or restricted areas while paying attention to their phone. The odds of someone getting attacked in a rough area would seem to go up with such an app given how critical situational awareness is. I don't know enough about how the app works to assess that, though.

One app that got me thinking about these things was Google Maps. I noticed it directed me through The Hood of a murder capital to save 3 minutes on a route. An area where people are known to surround cars or level guns on their owners. I had to wonder how much more risk like this is in any GPS-enabled app that sends you from point A to B.

There was a lot of controversy previously about mapping applications having "Avoid" areas. They were basically neighborhoods with high crime rates which also happened to be neighborhoods with high minority populations. Small business owners/home owners didn't like being grouped as "avoid" when they didn't have any real control over it. Or something like that.

[0] http://www.npr.org/2012/01/25/145337346/this-app-was-made-fo... [1] www.citylab.com/tech/2012/01/gps-smartphones-and-dumbing-down-personal-navigation/1036/

It's funny you say that as I just confirmed and cited it in another comment:


A prior comment related to Amazon Prime's apparent discrimination. I pointed out that Prime was avoiding crime not minorities. Local drivers, which Amazon outsources to, confirmed it for me personally in an unofficial sense where they agreed & personally wouldn't deliver to those areas.


So, it's a recurring theme but the crime angle is usually downplayed by left-leaning media. I agree with Microsoft's approach but I urge companies focus on crime statistics. There are many areas that are white and have tons of violent crime. Many areas are black with little violent crime. It needs to be about avoiding violent areas rather than minority areas specifically.

Damn. That was one of the risks we identified with prior GPS apps. Hate it's happened but appreciate the link.

What city is this? Just curious. I don't know any such city in the United States

Just look up top 10 cities or metro areas for violent crime. Memphis Metro Area, in and around Memphis TN, is one of them on most years. We have lots of good areas and things going on with the worst stuff mainly in impoverished, minority areas. Lots of street gangs that maintain efficiency and image with armed robbery, murder to solve disputes, and/or initiation by murder of innocent, harmless people. Impoverished, white areas are fairly safe with their crooks mainly doing property crime or con jobs. Rarely violent. Most impoverished areas I've been have a mix, though. Middle-class and upper-class areas are also fairly safe outside property crime regardless of mix. Last I checked, city was going mostly Black with lots of Latinos coming in and Whites moving out due to crime. Actually, exits from all races for that. Often outside of Memphis but having jobs inside it. Economy & education keep going downhill predictably. Many companies refuse to deliver to certain areas or leave the city since theft overtakes profits quickly. Many make it, though, with beefed up security. Local grocer has 8 security guards for one store. Police themselves guard best, Chinese, food place. Haha.

That's backdrop. Relevant here, North and South Memphis are largely the worst in terms of violence. You do not want to be in certain neighborhoods regardless of color. Even cops avoid them. Others are a risk more if you're white or look like you have property to take. Local media & cops suppress the worst of it to maintain tourism revenue (eg Elvis, BBQ) although the murders naturally get reported. Examples of censorship were kicking out The First 48 show and rape kit scandal. That Google Maps takes you right near those areas is probably why lots of people think the whole city is hood and trashed rather than just those parts. They never see the good parts unless specifically visiting them family, friends, jobs, or tourism.

So, yeah, it's a real issue. I double-check Google Maps if I'm going anywhere Downtown, Midtown, North, or South as it doesn't differentiate risky vs non-risky areas. I regularly have to force it to make safer routes. Straight-up avoid certain areas of the city unless I'm packing heat & with backup. Otherwise, still all kinds of good things to get involved in over there with most folks being alright. We just in a rough area and economy. :)

Note: As another example, BLM protestors sieged our Interstate (I-40) last night for hours then dispersed into Downtown. Local news cautioned everyone to stay away from that area for safety as it's normally dangerous but now unpredictable. Bad route at the least. Google routes still offering me a speedy trip through there, though. Unreal.

It should be noted that it sounds like only iOS users are seeing this.

I signed in with my Android, and I didn't see anything from Niantic or Pokemon Go in my security settings.

Same here (Android user), and I just double checked what apps have access to my google account, and nothing from Niantic or Pokemon Go listed at all.

Doesn't Google OWN Niantic? So now Google has access to our Google data? Don't see the issue.

1. Google no longer owns Niantic, they spun off as their own company last year.

2. The security risk isn't that Niantic is going to turn evil, it's that Niantic becomes an access point for other (evil) hackers.

They no longer own them. They were spun during the housecleaning before the Alphabet announcement.

Yep, though they also soon after made a further investment in Niantic. It may sound bizarre at first, but there might be good reasons why they did that. For instance, Nintendo might've been less likely to team up with a wholly Google-owned Niantic. (purely speculation on my part)


I strongly suspect a direct Google/Nintendo tie was considered less favorable than some little ex-Google company that still uses Google servers working on a Nintendo game. The announcement timing was pretty close.

Having been created by ex-Googlers you would think they knowingly chose to get full-access permissions. I wonder if there is a some ulterior motive to the app. Some have suggested up-to-date street-view mining; that wouldn't require full google account access though.

> So now Google has access to our Google data? Don't see the issue.

Even if they were still owned by Google, a compromised phone with Pokemon Go has a nice juicy access token with admin rights to your account to siphon off.

This seems like a massive security fail on Google's part. There's no reason the OAuth flow should be able to request admin privileges silently. As a user, I really must get a prompt asking me (and warning me!).

On a sidenote: does anyone know why the fuck are the servers so overcrowded? In a world with a whole bunch of automated cloud management solutions and auto-scaling, where is the problem?

I'm running iOS 9.3.2, and signing in to Pokemon Go caused it to have full access to my Google account. Just revoked it and looks like I can still play the game just fine.

Perhaps they misconfigured the Google auth sign-in? It's rather worrisome that it's this easy for an application to gain full access to your account, though.

Did you check the permissions again? I did the same, running the same iOS version, and it just restored the same full-access when I opened the app again.

Yep, just checked. It's not here at all. Were you asked to sign in again after you revoked?

I did the same. The app worked for a little while but bugged me to sign in again after a close and restart of the app. No thanks.

Here's a weird question. https://www.facebook.com/NationalMallNPS/photos/a.3795806520... Pokemon Go is designed to not only augment places where people already are but also to direct them to other places. My friend just ran down the Ninatic/Google connection. Can the app be used to direct people away from polling places and/or to congest areas around polling places?

To wit, would anyone be interested in tracking (I can do it for at least some locations) the locations of gyms in comparison to polling places? (I haven't used the app; can one get a location of gyms?)

[lol. let me clarify my interest would be in thwarting rather than harnessing this possibility.]

Also... the Clinton campaign just announced it would be having an event at a 'Pokestop,' and Clinton referenced the game. http://thehill.com/blogs/ballot-box/presidential-races/28779...

screw pooling places, what about locations of businesses (restaurants etc) that spend serious $$ for Google advertising?

I mean... that'd be an issue. I don't think it'd be as big an issue as widespread electoral fraud or electioneering. But it'd probably be an issue...

Any idea how long the signup page is down? I made my account yesterday and, when forced between using my google auth and making some pokemon.com account, it was a no brainer to not use my google account. It took me a few tries but since this is a game and not something in the realm of life-and-death, I found it wasn't horrible to actually wait. And try again.

The entire issue is predicated on using your google account credentials which isn't really mandatory. Maybe I'm overly cautious but I don't use my google account to auth anywhere. If that's the only option, and it's not a google product.. then it looks like I'm not using that service.

It's been down since at least last Thursday. The way I hear it it's been much longer.

But, again, I made an account yesterday. <24h ago. So, is it _actually_ offline, or are people hitting the friendly little google button instead of just waiting? If it's the latter, then while I don't disagree about the gravity of requiring "All Perms" for a stupid game, I kind of feel like people deserve whatever happens for their impatience.

Don't just throw around account access, no matter how pervasive, in the name of impatience. Ever.

The game never asks for access, it's not clear in any way how much information you're giving them.

In the past I've tried to use Google to sign in to some games and been given a screen that I noped out of because of what it was asking for. That didn't happen here. I assumed they only got my email address (if that), not full email/contact/calendar history.

I checked my Google permissions. iOS has a fair amount, Mac OS X has a fair amount, Pokémon GO has more than both put together. Without asking. That's crazy.

That's great news. I can't do it, but the error message has changed from 504 to try again.

Keep hitting F5, and you'll eventually be able to register.

Thing like this is why i dont use google, facebook etc and only have 4 apps. I love technology but it looks like hardly anyone is looking out for the consumer,let alone a non tech savvy consumer.

I'm more worried about my daughter getting hit by a car (because she walks in front of it, or because the driver is playing) than I am about my google account being hijacked!

How about your daughters naked selfies leaking because someone breached Niantic and leveraged access to gdrive?

So the solution is to create a throw away gmail account, I guess? Or not bother playing at all.

Just revoked access because the app never disclosed this information on signing up with my Google account. This is sick.

I detected that immediately when I signed up with google at first. No double-checking what I was ok with sharing with the company. Had to remove their permission from my account settings right away. Signed up with their email/password system, much better.

On Android 6.0 I got the correct permissions dialog and I was able to select what the app sees and what it can do. Is this just me?

But isn't that what the app needs from your phone? I always thought that was difference then what you are giving an app permission to do when using OAuth

On Android they're able to use the OS APIs to access that information because the google account is closely tied to the OS so the permissions there are basically permissions to the phone data because with Android they're pretty much one and the same.

I also see this. It asked for I think 4 separate permissions that you could allow or deny.

Seem like a issue with Google Auth on iOS. I've logged into Pokemon Go from my Android and iPhone. I revoked the access of "Pokemon Go release" from Connected Apps page then logged in again from my Android phone. "Pokemon Go release" doesn't show up in my Connected Apps page anymore even after a login from Android.

Where there's a security hole, there's an exploit.[1]

[1] https://thestack.com/security/2016/07/11/infected-pokemon-go...

This is completely unrelated because it isn't exploiting anything (other than humanware)

Any modified APK for any App could be loaded in with a RAT asking for full permissions. It just happens PKMNGO is popular and people are trying to get their hands on it before it is officially released in their region.

Wow. This game must be the fastest thing to skyrocket into worldwide popularity. Yesterday I noticed someone on social media talking about it. "Some random game pokemon fans like" - I figured. Today it seems like everyone around the world is playing it. And it was released just a week ago? Never seen anything quite like it.

This article, though rife with paranoia, brings up some interesting points.


Could you simply create a new google account for the sole purpose of playing pokemon go?

Could you not simply create a new google account strictly for use with pokemon go?

One could, but will everyone do that?

Title isn't exactly accurate - can we edit this to indicate iOS only?

I got a number of permission requests at runtime the first time launching the app. If anything, it appears to be running into more of the Android 6 runtime permissions.

Funny enough when I downloaded the app I didn't use my official account and I logged in with a secondary account wondering exactly about this.

Funny enough, when I installed the game I didn't use my official Google account and I used my test one thinking about this. Glad I did it.

kind of a scam, just a bad wording from google "full access" and old oauth workflow - but no real security threat

TLDR: Pokemon Go can't read your gmail - he checked


I'm usingn the android version. they aren't even a connected application. so no risk in Android.

So, Pokemon Go is not listed under my account... Could it be the mallware version?

Should be listed as "Pokemon Go Release" here: https://security.google.com/settings/security/permissions

If you're on Android it's done properly through app permissions and doesn't encounter this issue.

I see google Chrome gets full account access... I guess this is required? Or not?

Better/more neutral title: Pokemon Go asks for full Google permissions

It doesn't ask though:

"Normally you’d see a little message saying what data the app is going to be able to access - something like “This app will be able to view your email address and name”. For some reason that’s not shown in this case"

You're right, "asks" isn't the correct word and I apologize.

The title could still be more neutral/explanatory, though.

Not really. There is absolutely no reason for a game, or pretty much any other kind of software, apart from maybe an operating system, to have full access to your Google account. It adds a new single point of failure for everything somewhere you have no control over – I don't think "huge security risk" is unnecessary editorial in this case.

I was not asked. I put in my username, password, 2FA, and that was it. No permissions dialog - I certainly wouldn't have given it admin rights to my Google Account.

Even better title: "iOS users using Google Account sign-up affected by Pokemon Go permissions bug, Android unaffected"

Why in the world would they do this? Or was this just merely an accident?

Niantic used to be owned by Google, so they should know what they're doing.

It does work properly on Android. It only asks for access to Location, Contacts, Camera, and Storage.

Those are just things it has access to on your phone. That's not the permissions you give it on your Google account, which might include sending email as you. Those you can find here https://security.google.com/settings/security/permissions?pl...

I checked that page already. I can only speak for myself but for me it has no listing on the Google Permissions page so it looks like it does permissions correctly to me.

I'm running Android 6.0.1 on a Nexus 6 btw.

It doesn't appear in that list for me, curious if this is only affecting iPhone users and/or Android 5 and below.

According to https://techcrunch.com/2016/07/11/pokemon-go-shouldnt-have-f... it also happens sporadically on Android 5 and 6, and iPhones.

I can't tell whether this game is the most heavily marketed social-media blitz of all time or truly viral. A virtual treasure hunt game finally gets people outside? Come on.

Jesus Christ, They wants to catch 'em all


How is this any more "end of the world" than people watching TV?

Oh, are you chasing virtual pets 43 minutes 23 secondes per day in average too ? I'm sorry, really, I should think more positively of the future. My bad, will improve, promess ! Let's start by creating a facebook account, we will learn the pokemon thing after, one benefit per humanity at a time.

The amount of self-aggrandizing and general contempt for people I see on HN really astounds me sometimes.

I'm all with you for general contempt for people on HN.

I read everyday here the HN crowd claiming urgent need for an elite to set up a globalized centralized European Federal Union to get rid of nations and populism. I see people being bashed and insulted for supporting their own nation and not living for the NYSE.

Let's just throw away states, cultures, religions, and build a global free market where everyone would be happy consumer. Maybe facebook and Jp Morgan can help in this mission.

Let's celebrate the day when everyone will be chasing virtual pets on their phone. We're so in love with the people !

Pikachu !

It's a free game everyone.

When something is free to play, and involves you walking around with geo services and a camera on, you and your data are the product.

This is just massive data collection disguised as a video game.

No, they make their money through IAPs.

No one signed up to let Niantic read their email in exchange for free items.

Maybe no one on HN or in your circle of friends, but I think you massively overestimate the average user's sense of data protection.

I'm willing to bet if you put a warning that said "This app will read your email" a ton of people would react. Not 100%, but a ton.

Especially parents.

Okay. They are also selling user data.

While that may be true, it isn't relevant to the conversation about how deep into the permissions forest the app is reaching.

Pokemon Go can collect the bunches of the data it wants without having admin-level access to their users' Google accounts.

Applications are open for YC Summer 2023

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact