Games review, users who registered to play the game’s iOS app using Google accounts also gave the app permission to read emails and check out browser history
Gamers who have downloaded the Pokémon Go augmented reality game may have unwittingly handed over access to their emails, search histories and Google Drive data.
The security vulnerability appears to affect players who signed up to play the game using their Google account on Apple devices.
Typically app developers use this approach to make sign-up quicker and easier for players – it uses existing credentials stored on your phone so you don’t have to create yet another online account. Usually apps only require basic information such as your name, email, gender and location and this is explained clearly at the point of sign-up.
However, Niantic Labs – the company that developed Pokémon Go – did not have clear messaging about what data the app would have access to. Once signed up, many iPhone users were surprised to see that the app had “full access” their Google accounts, which allow apps to read and send email, access, edit and delete documents in Google Drive and Google Photos, and access browser and maps histories.
Adam Reeve, a software architect, described this as a “huge security risk”, though apps with full access can’t change the account password, delete their accounts or pay for things using any connected credit cards.
Full access is requested by very few apps, and should only be granted to apps that users fully trust.
There is nothing to suggest that Niantic Labs intentionally sought to gain access to users’ personal data, but the problem is a significant oversight. The company’s other augmented reality game, Ingress, only requests a user’s basic profile information.
“This is probably just the result of epic carelessness,” wrote Reeve, pointing out that he didn’t think the company was planning some “global personal information heist”.
“But I don’t know anything about Niantic’s security policies. I don’t know how well they will guard this awesome new power they’ve granted themselves, and frankly I don’t trust them at all,” Reeve added.
Fun facts: If it is fun and
interesting, it belongs here cool
animal facts!
Users can check whether Pokémon Go has access to their personal data inGoogle’s account settings. Users can choose to deny the app permission to access their Google accounts – although this means no longer playing the game.
It’s not the only security risk for Pokémon fans. Security researchers at Proofpoint have spotted a malicious version of the Pokémon Go Android app that has been infected with a remote access tool that gives attackers full control over the victim’s phone.
The malware hasn’t made its way on to Google’s app store yet, but it was discovered in an online file storage service, being marketed to unsuspecting users as the genuine game. Because the game hasn’t been rolled out globally yet, some impatient users have been downloading Pokémon Go from third parties, running the risk of infecting their devices with the unofficial software.
“Rogue apps can be hard to differentiate from real apps. It’s a really scary proposition and it’s getting progressively worse,” said Stephen McCarney, of the security company Arxan Technologies.
Domingo Guerra, founder of mobile app security company Appthority, agrees.
“It seems to have been done by mistake,” he said, warning users to reconsider downloading the game until the problem has been fixed. “Once you grant access you never know what a third party can do with your account,” he said.
Having access to your email account could allow a malicious attacker to change passwords on all sorts of services including online banking, he warned.
“I’m pretty sure it’s going to get fixed pretty quickly, but it’s not worth the risk.
Just for fun you can access here information about cats to get more information
No comments:
Post a Comment