The extent to which blame for the scare should be apportioned between Google and Niantic is still unclear. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves.” Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. “Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. “However, Pokémon Go only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. “We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account,” Niantic said. The company’s other augmented reality game, Ingress, only requests a user’s basic profile information. There is nothing to suggest that Niantic Labs intentionally sought to gain access to users’ personal data, and the company rapidly issued a statement saying no information had been accessed and that it was working with Google to fix the misleading permissions. So when Google says "Full account access" that actually means "Uses a deprecated API I don't want to code walking through so just be scary"- click unfollow July 12, 2016 Rubenstein was unable to access user emails or calendars, two of the most personal types of data in most Google Accounts, using the permissions granted to Niantic, suggesting that the episode really is the result of a mislabelling. “My best guess for what is happening is that one of the scopes is a legacy ‘login’ scope from OAuth1 which may be leading the UI to default to ‘Full account access’, when in reality, it only has the above perms.” “‘Full account access’ is not the best wording, and should probably be changed on Google’s end,” Rubenstein wrote. Slack security engineer Ari Rubenstein has confirmed that, despite the misleading entry, only basic permissions are granted to the app. But it seems that because Niantic Labs used an unsupported, out-of-date version of the sign-on process, that permission-granting step was skipped, prompting Google to default to warning users that the app had “full access” to their accounts. Used correctly, shared sign-ons should ask the user what permissions they want to grant the app, and any permissions beyond the basic requirements are clearly highlighted. Usually apps only require basic information such as your name, email, gender and location and this is explained clearly at the point of sign-up. Typically app developers use this approach to make sign-up quicker and easier for players – it uses existing credentials stored on your phone so you don’t have to create yet another online account. The issue appears to stem from the fact that Niantic Labs uses an outdated version of Google’s shared sign-on service. In fact, both Google and Niantic Labs, say that “full access” counterintuitively means nothing of the sort, a claim backed up by independent security researchers. The discovery sparked a wave of fear that playing the game might allow its developers, Niantic Labs, to read and send email, access, edit and delete documents in Google Drive and Google Photos, and access browser and maps histories.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |