The company already patched an API flaw that allowed a security researcher to use the app to find the real identity of drivers using it.

A security researcher has discovered a vulnerability in Google’s Waze app that can allow hackers to identify people using the popular navigation app and track them by their location.

Security DevOps engineer Peter Gasper discovered an API flaw in the navigation software that allowed him to track the specific movements of nearby drivers in real time and even identify exactly who they are, he revealed in a blog post on his research website, “malgregator.”

Waze uses crowd-sourced info aimed at warning drivers about obstacles that may be in their way of an easy commute–such as traffic congestion, construction, accidents and the like—and then suggests alternative and faster routes around these obstacles. The apps also displays the location of other drivers in close proximity as well as their GPS locations.
Gasper reported the latest Waze bug to Google last December and was rewarded a bug bounty of $1,337 from Google’s Vulnerability Reward Program in January 2020, disclosing the flaw publicly in August. The company said it already has patched the flaw.

Gasper said his research began innocently enough when he realized he could visit Waze from any web browser at at waze.com/livemap and decided to see how the app implemented the icons of other drivers nearby. He discovered that not only does Waze send him the coordinates of other nearby drivers, but also that the “identification numbers (ID) associated with the icons were not changing over time,” Gasper observed in his post.

By spawning code editor and building a Chromium extension to capture JSON responses from the API, the researchers found that he could “visualize how users broadly traveled between the city districts or even cities themselves.”

Inspired by a research paper published in 2013 that claimed that only four spatio-temporal points are enough to uniquely identify 95 percent of people, Gasper said he decided to go a step further to try to identify with specificity the drivers he was able to track within Waze.

He started with his own ID and used only the Waze map, discovering that in a low-density area, he could track his own ID by monitoring his own location.

“With enough time, an attacker would find out the victim ID by stalking its known location,” Gasper observed. However, realizing this would not scale for multiple users, he dug deeper and found “another privacy leak” that would allow hackers to identify a broader range of specific drivers using Waze.

“I found out that if user acknowledge any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place,” he explained in his post. “The application usually don’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged.”

To leverage this vulnerability, an attacker can pick multiple locations with high traffic and existing short/long running notification on the obstacle, then periodically call the API and find users that confirmed the existence of an obstacle, he said.

Because many users actually use their legitimate names as usernames in the app, over time an attacker “can build a dictionary of user names and their IDs,” as well as “store all the icon locations and correlate them with the users,” Gasper said.

Rumblings that Waze and other apps using crowd-sourced information are insecure already surfaced a number of years ago with a report  (PDF) from University of Santa Barbara researchers. They discovered that once a Waze user was identified, they could echo the GPS location of that person by creating a “ghost rider.” This would give someone the ability to virtually follow the victim around via a man-in-the-middle attack, reporting back their GPS locations.