“Privilege creep;” it’s an IT term referring to the incremental accumulation of access rights beyond what is necessary to perform a task or function. This phenomenon is a locus of worry for many people in the modern world (whether they can identify it correctly or not). Ten minutes on Facebook will likely uncover a user claiming to be “hacked,” or (less commonly) someone who actually has been hacked. We worry about who we give permission or access to our sensitive information and that includes the apps we have installed.
Last Friday, a blogger named Adam Reeve made some waves when he released a blog post claiming the following about the Pokemon Go app:
Let me be clear – Pokemon Go and Niantic can now:
- Read all your email
- Send email as you
- Access all your Google drive documents (including deleting them)
- Look at your search history and your Maps navigation history
- Access any private photos you may store in Google Photos
- And a whole lot more
Is this true? Can the developer of Pokemon Go read all of your emails, send emails as you, delete your files? CEO of New York cyber security firm “Trail of Bits,” Dan Guido, investigated Mr. Reeve’s claims and found reason to doubt the blogger. In a call with Google support, Guido was told that “full account access” does not indicate that a third party can access, modify or send email, or nearly anything else Reeve claimed. It only means that a developer can read biographical information like email addresses and phone numbers.
Google support also followed up by sending this statement to the cyber security expert which has been provided by Gizmodo:
In this case, we checked that the Full account access permission refers to most of the My account settings. Specific actions such as sending emails, modifying folders, etc, require explicit permissions to that service (the permission will say “Has access to Gmail”)
If what Google support told Mr. Guido is true, then it looks like a great deal of what blogger Adam Reeve had to say was wrong (probably just speculation on his part run amok.) Good thing, too. If what he claimed was in fact true, that would be just one less skip-and-a-hop away for a hacker to gain access to all of our password changes, personal info, bank account access, etc. Let’s hope for our sake (Let’s get serious. If you are reading this article you probably already installed the app.), that it isn’t.