|
|
|
|
|
|
by maknz
3635 days ago
|
|
|
Full access is bad enough, but the really dodgy thing going on is that you never get asked to approve or deny that access for Pokemon Go when doing the OAuth flow. You just log in, proceed through 2fa, and you're magically logged into the app. Pokemon Go Release then shows up as an authorised app... except I never authorised it. My theory is that they're injecting JavaScript into the web view to automatically press the 'Approve' button and hiding that from the user. If true, that's very worrying. They'd be effectively circumventing the whole OAuth framework by forging the user's approval of the app. Every user should have been asked up-front whether or not they wanted to approve or deny Pokemon Go's full access. |
|
|