Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

The Twitters told me today that Pokémon Go's Google account sign-in takes full access privileges, which is pretty obviously not good.

From Kotaku:

Update - 10:07pm: Niantic says it was a mistake that will be fixed soon. Here’s their statement to press:

We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. ... Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.s

Let's look at that last line again...

Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.

What does that mean, exactly? I mean, they do have full access, I guess. ;^)

Anyhow, my first and continued response to this is...

If only there was some way we could create fake, throwaway Google accounts with no personal data whatsoever to use for trivial purposes like this one.

le sigh

Update: So this is the "real" issue, and one I wondered about when I created a login with my [throwaway] Google account:

Either Google goofed, or Niantic is doing browser automation to programmatically agree to Google's security warning. Major issue either way.
— SecuriTay (@SwiftOnSecurity) July 11, 2016

I didn't see the, "Pokémon GO is requesting these permissions" screen either. And that's the real issue with OAuth in any application that isn't a browser made, downloaded, and run from a trusted source: You can't tell for sure that you're not using an embedded browser, one where every keystroke is easily viewed by the app authors.

In fact, if someone was after your information, they'd almost do better (if you don't have two-factor security) to sniff your password as part of an OAuth workflow that asked for the appropriate level of permissions (ID and email only) to stop from raising the red flag we're seeing here.

Labels: pokemon, security

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Monday, July 11, 2016
Pokemon Go full access "fix" The Twitters told me today that Pokémon Go's Google account sign-in takes full access privileges, which is pretty obviously not good. From Kotaku: Update - 10:07pm: Niantic says it was a mistake that will be fixed soon. Here’s their statement to press: We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account. ... Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves.s Let's look at that last line again... Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves. What does that mean, exactly? I mean, they do have full access, I guess. ;^) Anyhow, my first and continued response to this is... If only there was some way we could create fake, throwaway Google accounts with no personal data whatsoever to use for trivial purposes like this one. Update: So this is the "real" issue, and one I wondered about when I created a login with my [throwaway] Google account: Either Google goofed, or Niantic is doing browser automation to programmatically agree to Google's security warning. Major issue either way. — SecuriTay (@SwiftOnSecurity) July 11, 2016 I didn't see the, "Pokémon GO is requesting these permissions" screen either. And that's the real issue with OAuth in any application that isn't a browser made, downloaded, and run from a trusted source: You can't tell for sure that you're not using an embedded browser, one where every keystroke is easily viewed by the app authors. In fact, if someone was after your information, they'd almost do better (if you don't have two-factor security) to sniff your password as part of an OAuth workflow that asked for the appropriate level of permissions (ID and email only) to stop from raising the red flag we're seeing here. Labels: pokemon, security posted by ruffin at 7/11/2016 10:46:00 PM

<< Older \| Newer >>