Google’s Waze Can Allow Hackers to Identify and Track Users
Google’s Waze app contains a serious security vulnerability that allows hackers to identify users and track their locations. The flaw has since been patched and was an API flaw that allowed security researcher Peter Gasper to use the app to uncover the true identity of drivers using it. Gasper is a security DevOps engineer who found the API bug in the navigation software, finding that it allowed him to track the specific movements of nearby drivers in real-time. Gasper released details about the hack in a blog post uploaded to his research website.
Google awarded Gasper a bug bounty of over a thousand dollars for uncovering the flaw after he reported it to the company last December. Google was able to release a patch for the flaw and publicly disclose it in August. Waze disseminates a large amount of information to inform users of incidents such as traffic congestion, construction, police cars, and accidents, as well as displaying the location of unknown other users in close proximity. Gasper found the flaw through realizing he could visit the application from any web browser and looked into how the app administered the icons of nearby drivers, finding that their ID information was available online.