Recurring |
one_organization, multiple_organization |
a) The software failure incident related to Pokémon Go's misleading permissions issue with Google accounts does not seem to have happened again within the same organization (Niantic Labs) or with its products and services as per the provided article [45777].
b) The article mentions a separate incident where security researchers at Proofpoint discovered a malicious version of the Pokémon Go Android app infected with a remote access tool, giving attackers full control over the victim's phone. This incident involving a malicious version of the game being marketed to unsuspecting users as the genuine game could be considered a similar type of software failure incident happening with another organization or its product [45777]. |
Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase can be attributed to the outdated version of Google's shared sign-on service used by Niantic Labs. This outdated version led to a mislabeling of permissions, causing Google to default to warning users that the Pokémon Go app had "full access" to their Google accounts. This miscommunication was a result of the development choice made by Niantic Labs to use an unsupported version of the sign-on process, which ultimately caused confusion and fear among users [45777].
(b) The software failure incident related to the operation phase can be seen in the case of users downloading a malicious version of the Pokémon Go Android app from third-party sources. This rogue app was infected with a remote access tool that could give attackers full control over the victim's phone. Users who downloaded the unofficial software from online file storage services were at risk of infecting their devices with malware, highlighting the dangers of not obtaining apps from official sources and the potential consequences of operation-related failures [45777]. |
Boundary (Internal/External) |
within_system, outside_system |
(a) within_system: The software failure incident related to the Pokémon Go app's permissions issue was primarily within the system. The issue stemmed from Niantic Labs using an outdated version of Google's shared sign-on service, which led to the misleading "full access" permissions being displayed to users. This was not an intentional attempt by Niantic Labs to gain access to users' personal data, but rather a result of using an unsupported version of the sign-on process [45777].
(b) outside_system: The incident also involved external factors, such as Google's misrepresentation of the permissions granted to the app. Despite Niantic only requesting basic profile information, Google displayed the permissions as "full access," causing confusion and concern among users. Additionally, there were external security threats, such as a malicious version of the Pokémon Go Android app infected with a remote access tool, which was being marketed to users through online file storage services [45777]. |
Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident related to non-human actions was primarily due to the outdated version of Google's shared sign-on service used by Niantic Labs. This outdated version led to the misleading display of "full access" permissions on Google accounts when users signed up to play Pokémon Go. Despite the alarming language, independent security researchers confirmed that only basic permissions were actually granted to the app [45777].
(b) The software failure incident related to human actions involved the miscommunication and mislabeling of permissions between Niantic Labs and Google. Niantic's choice to use an unsupported, out-of-date version of the sign-on process led to the skipping of the permission-granting step, causing Google to default to warning users about "full access" to their accounts. This miscommunication between the two companies contributed to the scare and confusion among users [45777]. |
Dimension (Hardware/Software) |
software |
(a) The software failure incident related to hardware:
- The incident reported in the article [45777] was not directly related to hardware failure but rather to a software issue. The scare regarding Pokémon Go accessing users' Google accounts was attributed to an outdated version of Google's shared sign-on service used by Niantic Labs, which led to misleading permissions being displayed to users. This issue did not stem from hardware failure but rather from a software implementation problem.
(b) The software failure incident related to software:
- The software failure incident reported in article [45777] was primarily due to contributing factors originating in software. Specifically, the issue with Pokémon Go accessing users' Google accounts was caused by Niantic Labs using an outdated version of Google's shared sign-on service, leading to misleading permissions being displayed to users. This software-related problem resulted in a scare among players regarding potential security vulnerabilities, highlighting the importance of proper software implementation and security measures. |
Objective (Malicious/Non-malicious) |
non-malicious |
(a) The software failure incident related to the Pokémon Go app granting "full access" to users' Google accounts was non-malicious. The incident was attributed to the use of an outdated version of Google's shared sign-on service by Niantic Labs, which led to the misleading permissions being displayed to users. Despite the alarming message of "full access," security researchers confirmed that only basic permissions were actually granted to the app [45777]. The incident was characterized by unintentional mislabeling and a lack of clear communication rather than any malicious intent to harm the system. |
Intent (Poor/Accidental Decisions) |
accidental_decisions |
(a) The intent of the software failure incident was not due to poor decisions but rather accidental decisions. Niantic Labs unintentionally requested full access permission for users' Google accounts during the Pokémon Go account creation process on iOS. This was a mistake as the app only needed basic Google profile information, and no other Google account information was accessed or collected [45777]. The incident was more of a result of using an outdated log-in method without clear reasons and a mislabeling of permissions, rather than a deliberate attempt to gain unauthorized access to users' personal data. |
Capability (Incompetence/Accidental) |
development_incompetence, accidental |
(a) The software failure incident related to development incompetence can be seen in the case of the Pokémon Go app incident. Niantic Labs used an outdated version of Google’s shared sign-on service, which led to the app being granted "full access" to users' Google accounts, causing a major security scare [45777]. This incident highlights the importance of using up-to-date and secure development practices to prevent such vulnerabilities.
(b) The software failure incident related to accidental factors can be observed in the case of Google misrepresenting the permissions granted to the Pokémon Go app users as "full access" when, in reality, only basic permissions were being granted. This mislabeling led to confusion and fear among users, although there was no intentional attempt by Niantic Labs to access users' personal data [45777]. This accidental miscommunication between Google and Niantic caused unnecessary panic and raised concerns about data security. |
Duration |
temporary |
(a) The software failure incident related to the Pokémon Go app's permissions issue was temporary. The incident occurred due to Niantic Labs using an outdated version of Google’s shared sign-on service, which led to the app being granted "full access" to users' Google accounts, causing a scare among players [45777]. However, both Google and Niantic Labs clarified that the "full access" permission actually only granted basic permissions to the app, and steps were taken to fix the misleading permissions promptly. Google verified that no other information had been accessed by Pokémon Go or Niantic, and they were working to reduce the app's permission to only the basic profile data needed [45777]. |
Behaviour |
value, other |
(a) crash: The incident related to the Pokémon Go app granting "full access" to users' Google accounts was not a crash. The app was not losing state and failing to perform its intended functions. Instead, the issue was related to misleading permissions granted to the app, which did not result in a system crash [45777].
(b) omission: The incident was not due to the system omitting to perform its intended functions at an instance(s). The issue with the Pokémon Go app was not about missing or skipping functions but rather about the misleading representation of permissions granted to the app [45777].
(c) timing: The incident was not related to the system performing its intended functions correctly but at the wrong time. The problem with the app's permissions was not about timing but about the inaccurate labeling of the level of access granted to users' Google accounts [45777].
(d) value: The software failure incident was related to the system performing its intended functions incorrectly. Users were alarmed by the perceived "full access" granted to their Google accounts, which was later clarified to be a mislabeling issue. The app was actually only accessing basic profile information despite the misleading wording [45777].
(e) byzantine: The incident was not characterized by the system behaving erroneously with inconsistent responses and interactions. The issue with the Pokémon Go app was more about a miscommunication regarding the level of access granted rather than inconsistent behavior or interactions [45777].
(f) other: The behavior of the software failure incident could be categorized as a miscommunication or misrepresentation issue. The misleading labeling of "full access" to users' Google accounts caused alarm and confusion among players, leading to concerns about data privacy and security. The incident highlighted the importance of clear communication and transparency in app permissions [45777]. |