The massively popular Pokémon GO game turned out to be giving some users more than they bargained for by obtaining...
a token for full account access to their Google accounts -- without asking permission first.
Following the launch of the Pokémon GO mobile app last week, the game's developer, Niantic Inc., was forced to fix the iOS version of the app after a security researcher reported the game installed itself with a token that could grant full account access to his Google account. While the app itself could not act upon this access, the flaw introduced risk of a token exchange attack.
Adam Reeve, principal architect at security firm RedOwl Analytics in Baltimore, wrote on Tumblr when he started playing Pokémon GO using his Google account to authenticate, he had expected to see "a little message saying what data the app is going to be able to access -- something like, 'This app will be able to view your email address and name.'" No message was forthcoming, but Reeve said he was shocked when he checked to see the game permissions and saw: "Pokémon GO has full access to your Google account."
Pokémon GO allows logins through the Pokémon Trainer Club website or using a Google account; however, the Pokémon Trainer Club was overwhelmed by the initial rush of new players and suspended new registrations, leaving players with only one option: to log in using their Google account credentials. The permissions overreach occurred only on the iOS version of the app; Android users were not affected.
Niantic admitted to the mistake and explained, although a full-access token was granted to Pokémon GO, the app could not access all Google account information.
"We recently discovered that the Pokémon GO account creation process on iOS erroneously requests full access permission for the user's Google account," Niantic wrote on its website. "However, Pokémon GO only accesses basic Google profile information (specifically, your user ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon GO or Niantic. Google will soon reduce Pokémon GO's permission to only the basic profile data that Pokémon GO needs, and users do not need to take any actions themselves."
Reeve initially reported the token granted to Pokémon GO could give Niantic the ability to read users' Gmail, send email as the users, and access and delete files in Google Drive. In fact, Google itself said full account access allows applications a wide range of potentially dangerous capabilities.
"When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can't change your password, delete your account, or pay with Google Wallet on your behalf)," according to the company's support page. "If you've granted full account access to an app you don't trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button."
However, other security experts later discovered, while Pokémon GO could not read or send email and only gave the game the ability to see basic Google user information, the flaw opened the door to a token exchange attack using the full-access token.
Ari Rubinstein, senior staff engineer for product security at Slack, based in San Francisco, wrote about the flaw on GitHub and noted the problem arose from "an undocumented flow of being able to exchange a token with the https://www.google.com/accounts/OAuthLogin scope for a session token for Google properties." While Pokémon GO was not able to use its full account access to access users' Gmail and calendars, Rubinstein did say it is possible the OAuth access token could be maliciously exchanged for another, more powerful token, called uberauth. This would allow attackers to open up a web session on any Google service and obtain true full account access, creating a major security vulnerability in Google's authentication system.
Rubinstein noted it appeared the excessive permissions grant was the result of an honest mistake on the part of Niantic and Google, and the permissions were not being abused.
"It appears that using this token in the way that was initially suggested would still be difficult with this grant, as the type of use for it is not programmatic (unless there is another hidden API somewhere to grant API tokens). Omitting this scope seemed to make the auth known as 'Basic user information' instead of 'Full account access,' and is likely what Niantic will do to update the client. The auth flow is confusing, and Google should reflect that logging in with this scope can yield a token that can be exchanged for sessions on Google properties. [In my opinion], Google shouldn't be giving out this scope to non-Google apps."
Niantic was previously owned by Google, but it spun off last year as an independent entity. It's still unclear how Niantic was able to obtain this OAuth scope and bypass the permissions notification that would normally accompany an application obtaining full account access. Dan Guido, CEO of cybersecurity firm Trail of Bits in New York, wrote in a blog post he and fellow security researcher Jay Little tried to replicate the use of the OAuth token in Google's OAuth Playground developer site, but were unsuccessful.
"This means that the OAuth Playground, Google's own service for testing access to their APIs, is unable to exactly replicate the permissions requested by Pokémon GO," Guido wrote. "It might be part of the OAuth 1.0 API, which was deprecated by Google in 2012 and shut down in 2015. If so, we're not sure why Pokémon GO was able to use it. We checked, and accounts that migrate up to the OAuth 2.0 API are no longer able to access the older 1.0 API."
For now, the Pokémon GO permissions issue appears to have been resolved. "Given that Google is going to be retroactively rescoping tokens to remove this [token exchange] possibility, Pokémon GO should be safe to play in the next couple of days on iOS, or even now," Rubinstein wrote. "Go have fun and play a game."
Other Pokémon GO security issues
While Niantic and Google have fixed the permissions issue on the iOS version of the app, there are already other security issues. Proofpoint Inc., a Sunnyvale, Calif., cybersecurity firm, discovered an infected Android version of the game, carrying the DroidJack remote-access tool.
"Although we have not observed this malicious [Android application package (APK)] in the wild, it was uploaded to a malicious file repository service at 09:19:27 UTC on July 7, 2016, less than 72 hours after the game was officially released in New Zealand and Australia."
Proofpoint noted, because "the game had not been officially released globally at the same time, many gamers wishing to access the game before it was released in their region resorted to downloading the APK from third parties."
Meanwhile, Microsoft program manager and engineer Dennis Delimarsky tweeted that Pokémon GO does not do certificate pinning, meaning the app may be vulnerable to man-in-the-middle attacks when used on public Wi-Fi networks.
Pokémon GO... get yourself whatever you want because I can hook directly into the APIs with mitmproxy. No cert check pic.twitter.com/aR1VkwW2AD— Den Delimarsky (@DennisCode) July 9, 2016
Find out more about how permissions work in Android Marshmallow
Learn more about combating cloud-based gaming security risks