Recently, some Pokemon fans logged into their Google account and became very upset when they saw this:

Screen-Shot-2016-07-11-at-10-35-42-PM

Holy “principle of least privilege” issues, batman! An iPhone game has access to peoples Google accounts! And not just access, but full access.

Google is pretty clear on what full access means:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).

Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.

This “Full account access” privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.

If you’ve granted full account access to an app you don’t trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.

Why would anybody ever give a video game this kind of access to their life?

Well as it turns out, iPhone users playing Pokemon Go didn’t exactly know they were giving Niantic this level of access to their data. That’s because when a user signs up for Pokemon Go, this is the OAuth flow they experience.

The Go Experience

First, the user is presented with the option to signup with either Google or Pokemon Trainer Club. Unfortunately, as others have reported, the Pokemon Trainer Club option wasn’t working for a while.

IMG_1945-1

When the user clicks on Google, they are presented with a Google login page which pops up inside of the Pokemon Go application. This is an embedded Google OAuth page.

IMG_1946

Next, the user is asked to enter their password. So far, nothing out of the norm…

IMG_1947-2

Then, a “Loading…” screen flickers in the embedded web view. As anybody who has used OAuth flows before knows, the next obvious step is a consent screen asking if we want to allow the application to access and use our account in some way.

Instead, what happens is the game starts:

IMG_1948-1

Wait, what?

Programatic Auth

If we “middle” the related traffic using software such as Burp Suite, we can see something fishy going on when the game talks to accounts.google.com over HTTPS.

First we get our service login page:

Next we post our account login info. This is the form we submit to on the first oauth screen and it accepts our username:

Next, we submit our password to the password challenge endpoint. This is the form we submit to on the second oauth screen:

We’ve been redirected to an endpoint called “programmatic_auth”:

We’ve gotten an OAuth code back, which we can then exchange for a token:

If you’re familiar with OAuth, you’ll quickly realize that the second step of the process never asked the user to accept the OAuth scope. Instead, after the user is presented with a password challenge, a request is made to an API endpoint named “programmatic_auth”.

If you google for “programmatic_auth”, you’ll come across a very small number of results. These include forum posts for Chromium development, malware analysis, and tech support for Google products.

This endpoint is not documented, because it is not intended to be public. From what I can gather, it is intended to be used exclusively by Google for OAuthing without explicit user consent. I suspect it is the same functionality which allows you to sign-in to Google on iOS, Android, or Google Chrome without having to do the OAuth dance.

Niantic

So why is Niantic using this endpoint? How come they aren’t sending the user through the usual OAuth flow that every other third party application sends their users through?

It may have something to do with the fact that the company started as an internal startup at Google. They’re the same company which brought us the Android-first game Ingress. Their affiliation with Google may have something to do with their use of a private API endpoint.

Regardless, Google and/or Niantic made a big mistake. At a glance, the OAuth scope the application requests (er, demands) appears to only pertain to open ID and the user’s email address. However, it is clear that the application ends up with a lot more than just that. Had Niantic used the same OAuth flow every other developer is forced to use, none of this would have been a problem.

Pokemon Go and Google OAuth

Leave a Reply

Your email address will not be published. Required fields are marked *