If you’re like nearly every person in the U.S. with a smartphone, you’re probably playing Pokémon Go right now. Despite the fun, however, the app may be a huge security risk.
Adam Reeve, who works for the security analytics company Red Owl, wrote on his personal Tumblr about an issue he noticed: When a user signs up for the game (which must be through Google), it instantly grants Niantic—the app maker—full access to the user’s Google account.
This, says Reeve, means, Niantic could send emails from you, read your emails, access your Google Drive documents, peruse your photos, go through your search history, etc. You can read more about the security issue on Reeve’s blog.
Here’s how to revoke access:
— SecuriTay (@SwiftOnSecurity) July 11, 2016
Update: Reeve has now backtracked some of his claims and Niantic probably can’t send and read personal emails. According to Gizmodo, full account access likely means that the app can “can only read biographical information like email address and phone number.”