Pokemon Go Maker: Coding Error Gave Company Access to Your Emails
(CNN MONEY) The makers of Pokemon Go -- the insanely popular smartphone game -- were forced to make emergency fixes to the game because the app gave the company an unprecedented level of access into players' personal lives.
For some users with iPhones, signing into the game with the most convenient option -- using your Google account -- allows the gaming company to read your emails.
That's because the Pokemon Go app gets "full access" to your Google account. It's something most apps don't dare demand.
Google settings state that "full access" means Pokemon Go "can see and modify nearly all information in your Google Account."
That includes access to email, according to Google.
Niantic, the game's developer, acknowledged the coding "error" on Monday.
In a statement late Monday night, the company said it sought only minimal information -- a person's unique player ID and email address. But "the Pokemon Go account creation process on iOS erroneously requests full access."
Niantic promised it will not use this supreme access of personal information and said it has started working on a fix to reduce the user permission needed to play the game.
"Google will soon reduce Pokemon Go's permission to only the basic profile data that Pokemon Go needs," the company said.
Niantic was forced to admit its mistakes on Monday after computer security experts realized that the video game gets a rare level of access to your Google account.
Adam Reeve, a computer security expert at the cybersecurity firm RedOwl, was the first to discover this.
"This is probably just the result of epic carelessness," Reeve wrote in a blog post Monday. "I don't know how well they will guard this awesome new power they've granted themselves... I really wish I could play, it looks like great fun, but there's no way it's worth the risk."
Google settings even warn users against granting this degree of trust on its settings page: "This 'full account access' privilege should only be granted to applications you fully trust."
Nintendo of America, which owns the Pokemon brand, refused to comment via an outside corporate representative, Andrew Karl.
"A game shouldn't require this amount of access to your data," said Mark Nunnikhoven, a computer security expert with cybersecurity firm Trend Micro.