Pokémon Go Failed at Security, but Google Failed Harder

If you downloaded Pokémon Go (and there is a good chance that you did as it is at the top of the App Store charts), you may have tried to create a Pokémon trainer account, only to find that the servers were overloaded and that you can’t. So you likely moved to the other option, which is to use your Google account. If you happened to be using iOS, what you ended up doing was giving Niantic full access to your Google account. This means that short of deleting it entirely or spending money, they have almost limitless access to your Google data. This includes your emails, you contacts, your documents, your photos, and more.

Full Google account access granted to Pokemon

This is extremely bad. Any rogue employee at the company could potentially access any users personal data if they could gain high enough credentials. That is to say nothing of a potential server breach, which just became infinitely more valuable. While this is likely a mistake, it is a pretty major one.

But even worse is that Google allowed this to happen in the first place. At no point during the login is it ever presented to you that you are giving this high a level of access. Most other apps present a dialog explaining the permissions that you are about to grant before allowing you to confirm. But in this case, nothing. Full access is silently granted. This is a malicious hackers dream come true.

Not only should it never be possible to skip the permissions screen, but anything requesting full access should pop up a big, scary warning to make it painfully clear that you are about to sign over the keys to the kingdom. Especially considering how many Google accounts are being used in education and business. I question whether this should be an option at all for anyone other than a properly vetted and trusted partner. This is inexcusable both in that this is being allowed to happen, and that Google has not as of this writing blocked access. They should take their users account security far more seriously than being an inconvenience to Niantic.

And Niantic needs to issue a statement on this whole mess beyond “No comment to share at the moment.” No, sorry, the correct answer is “Holy crap we messed up and we have our engineers working to sort this out yesterday! All hands on deck.” This is a major security error that requires an emergency patch.

For now at least, revoke the app’s authorization. This will cut it off completely (that’s what is nice about OAuth, your password is not sent to the other company, so you can revoke access without having to change it).

Authenticating through a third party, especially one that is (normally) as secure as Google has its benefits. It means a hack on the third party won’t disclose your passwords, preventing the massive data dumps we have seen time and again. But I can’t help but feel we have allowed ourselves to become way too comfortable granting this access to our most important repositories of information. Google needs some serious quality control over what it allows to access your data. Say what you will about Apple’s app review. They may be heavy handed, but their demands to developers that they explain their reasons for requesting your data goes a long way to prevent this kind of error.

Pokémon Go Failed at Security, but Google Failed Harder was last updated July 11th, 2016 by Michael Truskowski