April 28, 2016 by

Millions of Waze Users at Privacy Risk

 A vulnerability in Google’s navigation app Waze has been discovered by security researchers that allows hackers to stalk a user in real-time.

Researchers from the University of California, Santa Barbara have discovered a vulnerability in Wuze, a popular Google-owned navigation app that can potentially allow a hacker to track a user in real-time.

The Exploit

The researchers inserted their own code and computers in-between Waze’s servers and the end-user’s phone to trigger a man-in-the-middle exploit by reverse engineering-Waze’s server code. With the exploit, researchers discovered that they could potentially create thousands of bot drivers on Waze’s systems.

The app, being predominantly social in nature, allows these bot or ghost-cards to monitor and track real drivers around them. Furthermore, the hijack capabilities also allowed the researchers to create virtual traffic jabs which can then be used by malicious hackers to track users in real-time.

For the hack to work,Waze is required to be running in the foreground since the app developed had switched off “background location sharing” as a feature back in January. The exploit also fails to work when a user turns on the app’s invisibility feature.

Related read: Google Pulls Plug on Vulnerability Exploiting App

Regardless, the vulnerability still puts millions of Waze users who depend on the social, community-centric app to monitor traffic on a real-time basis, at the risk of being tracked.

Reported by Fusion, a writer at the publication demonstrated the flaw by allowing researchers to track her car over a three-day period. The researchers were able to follow her successfully.

The company, meanwhile, insisted that the reporter gave her location and username to the research team, stating that she wanted to be found.

This, they argued, “greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.”

Speaking to re/code, Hill stated:

I did give my location to the researchers, [and] it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to then follow my movements using Waze.

Still, the company confirmed that the vulnerability discovered by the researchers has enforced a change among its privacy safeguards.

We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.

 Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Google Research: Phishing Poses the Greatest Cybersecurity Threat

A new study by Google has revealed insights to better explain how emails and other accounts are...

Read more arrow_forward

Google Plans 2FA Upgrade with Hardware Replacements

Google is reportedly close to rolling out a new hardware-based replacement solution as an upgrade...

Read more arrow_forward

Google Will Pay Up to $200,000 for Android Hacks

Google is increasing payouts for its Android bug bounty program, with rewards up to $200,000 for...

Read more arrow_forward