Waze app vulnerability allowed users’ real-time location tracking

Waze app vulnerability allowed users’ real-time location tracking
 

Waze app has more than 130 million active monthly users globally and that makes it a lucrative target for hackers.


Although the Waze app helps drivers identify the most appropriate, safe, and fastest route to any destination, Peter Gasper, an IT security engineer reported a vulnerability in the Google-owned app allowing attackers to identify nearby drivers on the Waze app and track their location in real-life.


The vulnerability existed in Waze API which worked in such a way that once using the app on a web browser (Livemap Waze) the researcher was able to request coordinates of nearby drivers along with his own. This not only exposed the real-time privacy of users but also put their physical security at risk.


See: Self-driving cars can be fooled by displaying virtual objects


According to the researcher, the coordinates, other than traffic details, also contained Unique Identity Numbers (UID) of each driver which did not change over time. Gasper then decided to track one of the drivers and identified them again with the same coordinates on the same road.



On the left: Example data captured for given user over time – On the right: The captured data in a human-readable form. (Image via Peter Gasper)



Gasper did so by developing a Chromium extension and was therefore able to follow unique users on the live map via the API. An attacker could find out the ID of a Waze app user and keep an eye on a known environment where the tar ..