The developers behind Pokémon Go are fixing a bug that gave the game far too much access to users’ Google accounts. Currently, the bug appears during the user account creation process.
For many players, signing into the game with a Google account is the most convenient option. Apps connected to the account can be granted access to basic data for your account, such as your name and email, which is quite common.
Another option called “full access” can see and modify nearly all information on your account, including your email. Google recommends that you don’t grant this level of access to applications you don’t fully trust, and most games don’t request this level of access. Up until the error was discovered on Monday, it was full access that Pokémon GO was requesting.
“We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user’s Google account,” said Niantic in a statement.
Niantic stressed that Pokémon Go only needs basic profile information—just a User ID and email address, and that Google has verified that neither Pokémon GO, nor Niantic, has received any other information.
The company is also working on a client-side fix so that permission is only requested for basic Google profile information.
“Google will soon reduce Pokémon GO’s permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves,” the company said.
According to CNN, Adam Reeve, a computer security expert at the cybersecurity firm RedOwl, was the first to discover the error.
“This is probably just the result of epic carelessness,” Reeve wrote in a blog post Monday. “I don’t know how well they will guard this awesome new power they’ve granted themselves... I really wish I could play, it looks like great fun, but there’s no way it’s worth the risk.”