Pokémon Go has become wildly popular in the days since its release last week, but the app may be hiding a serious security issue. In many cases, users who sign into the app through a Google Account are often inadvertently granting broad permissions over all information linked to the account, including the power to read and send emails. At no point in the sign-in process does the app notify users that full access is being granted.

There's no indication that developer Niantic Labs is actively using that power, but it still represents a dangerous overreach and a real privacy concern for millions of users.

The behavior was first reported by the researcher Adam Reeve, who noticed it as part of the sign-in process. Six separate Verge employees were able to confirm the finding, although the behavior has been inconsistent on some Android phones. You can check and modify those permissions here. After permissions are revoked, the user is automatically signed out, but the app's functionality is otherwise unaffected.

Full access gives an application broad powers over information in a user's Google Account, including the ability to read emails stored by Gmail or trace location history through Google Maps. The app would be unable to change passwords or spend money, however. Google's summary of the permissions reads as follows:

When you grant full account access, the application can see and modify nearly all information in your Google Account (but it can’t change your password, delete your account, or pay with Google Wallet on your behalf).



Certain Google applications may be listed under full account access. For example, you might see that the Google Maps application you downloaded for your iPhone has full account access.



This "Full account access" privilege should only be granted to applications you fully trust, and which are installed on your personal computer, phone, or tablet.



If you've granted full account access to an app you don't trust or recognize, we recommend that you revoke this permission by clicking the Revoke access button.

Niantic has issued a statement promising to reduce the permissions, saying that despite the overbroad permissions, the app never accessed more than basic profile data.

Update 7:43AM ET: Updated with Niantic's statement.

How Pokémon took over the world in 20 years