Millions of Waze Users at Privacy Risk

 A vulnerability in Google’s navigation app Waze has been discovered by security researchers that allows hackers to stalk a user in real-time.

Researchers from the University of California, Santa Barbara have discovered a vulnerability in Wuze, a popular Google-owned navigation app that can potentially allow a hacker to track a user in real-time.

The Exploit

The researchers inserted their own code and computers in-between Waze’s servers and the end-user’s phone to trigger a man-in-the-middle exploit by reverse engineering-Waze’s server code. With the exploit, researchers discovered that they could potentially create thousands of bot drivers on Waze’s systems.

The app, being predominantly social in nature, allows these bot or ghost-cards to monitor and track real drivers around them. Furthermore, the hijack capabilities also allowed the researchers to create virtual traffic jabs which can then be used by malicious hackers to track users in real-time.

For the hack to work,Waze is required to be running in the foreground since the app developed had switched off “background location sharing” as a feature back in January. The exploit also fails to work when a user turns on the app’s invisibility feature.

Related read: Google Pulls Plug on Vulnerability Exploiting App

Regardless, the vulnerability still puts millions of Waze users who depend on the social, community-centric app to monitor traffic on a real-time basis, at the risk of being tracked.

Reported by Fusion, a writer at the publication demonstrated the flaw by allowing researchers to track her car over a three-day period. The researchers were able to follow her successfully.

The company, meanwhile, insisted that the reporter gave her location and username to the research team, stating that she wanted to be found.

This, they argued, “greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.”

Speaking to re/code, Hill stated:

I did give my location to the researchers, [and] it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to then follow my movements using Waze.

Still, the company confirmed that the vulnerability discovered by the researchers has enforced a change among its privacy safeguards.

We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.

 Image credit: Flickr.