iPhone Pokémon Go glitch is a huge security risk, but it’s being worked on
Pokémon Go may have taken over your life, but somewhat concerningly, it could also take over the Google Account you're using to play the game. Security analyst Adam Reeve noted that when played on an iPhone or iPad, the game is potentially granted "full access" to the Google Account you use to sign-in.
Theoretically speaking, this means that Pokémon Go (and developer Niantic) can read your email, send email as you, access and delete Google Drive documents, look at search and Maps history, access photos stored in Google Photos, and more. Essentially, almost anything but making payments as you, and changing your password. While this level of access may not be required by the game, it could be disastrous in the event of an attack on Pokémon Go servers. This does not appear to be an issue if you're playing the game on Android.
Niantic confirmed to Game Informer that this is unintentional, and says it has commenced working on a fix for this.
"We recently discovered that the Pokémon Go account creation process on iOS erroneously requests full access permission for the user’s Google account," said Niantic in a statement. "However, Pokémon Go only accesses basic Google profile information (specifically, your User ID and email address) and no other Google account information is or has been accessed or collected. Once we became aware of this error, we began working on a client-side fix to request permission for only basic Google profile information, in line with the data that we actually access. Google has verified that no other information has been received or accessed by Pokémon Go or Niantic. Google will soon reduce Pokémon Go’s permission to only the basic profile data that Pokémon Go needs, and users do not need to take any actions themselves."
For the time being, concerned Pokémon Go players can revoke permissions by going to their Google My Account page. After you sign in, select "Connected apps & sites", click on "Pokémon Go Release" and hit "remove". These permissions will be re-added next time you sign back into Pokémon Go.