Current status at @trailofbits: a dozen people arguing over which identity system sucks more: google, microsoft, facebook, or others.
-
-
-
I'm going to be using
#PokeGate for future tweets about this. Just calling dibs on that before it gets out of hand. -
OK we're getting there. Pokemon Go has some rudimentary jailbreak detection which has now been bypassed. Time to find what scope they use...
-
Ugh the rabbit hole goes deeper. There is no solid answer yet people but it's not as simple as can access "everything" or "nothing".
-
Brief update: clearly, Pokemon Go is over-provisioned for access to your Google Account. The severity of that is an open question.
-
We've narrowed down exactly what the issue is on the Pokemon Go / Google side, we're working to identify exact data at risk now.
-
Ive been neck deep in a
#PokemonGo writeup all weekend. The rabbit hole is so deep. -
OAuth is some serious bullshit omg
- 1 more reply
New conversation -
-
-
Full account access grants quite a bit of access beyond biographical related info.pic.twitter.com/UhpeY7DIhH
-
I know, I saw that. I think it's poorly worded.
-
Can you clarify what makes you think that?
-
Actions like sending email require explicit permissions from each service. It will say "Has access to Gmail".
-
IFTTT can send emails and its language suggests a step down from "full access."pic.twitter.com/R6EtBfnlpV
-
Exactly. See, it says "Gmail" in that screenshot. The Pokemon one does not.
-
But it only says Gmail because it has "some" access so it's listing the aspects of that access. Full wouldn't need a list.
-
I understand the confusion. This is the most unintuitive permissions system ever. I will have a 100% answer very soon.
End of conversation
New conversation -
-
-
Waiting with baited breath as to whether I have to start over in Pokemon Go, haha
-
I'll have an answer soon! But you don't have to wait. Revoke access here, it doesn't affect play:https://security.google.com/settings/security/secureaccount …
-
It allows you to keep playing, but as soon as you have to log in again it takes full access (silently!) again
-
How does it get and restore permissions without showing an appropriate prompt from Google? Does the app have your pw?
-
We weren't able to find great info about what was going on. We posted all our notes here: https://blog.trailofbits.com/2016/07/11/why-i-didnt-catch-any-pokemon-today/ …
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.