Pokémon Go secretly has access to everything in your Google account

When they say you gotta catch ’em all, Pokémon Go‘s developers may have meant catching complete control of every user’s entire Google account—largely in secret, without letting users know up front exactly what the app can do.

Today’s most popular mobile game lets users login through their Google accounts, but it fails to specify how Pokémon Go and Niantic, the company that’s working with Nintendo to develop the game, are going to use that account. The answer, researcher Adam Reeve reported, is that Pokémon Go can do almost anything with your account.

The app can read your email, send email as you, access your Google Drive, read your Google Search and Maps history, and look at private photos. All of that comes without any specific notification to you about how much of your data they’re opening up.

Furthermore, a users’ Google’s Connected Apps page doesn’t list Pokémon Go, so users can’t figure it out through that avenue either.

“Now, I obviously don’t think Niantic are planning some global personal information heist,” Reeve wrote. “This is probably just the result of epic carelessness. But I don’t know anything about Niantic’s security policies.”

Niantic Labs was owned by Google until late 2015.

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.