Waze app has more than 130 million active monthly users globally and that makes it a lucrative target for hackers.
Although the Waze app helps drivers identify the most appropriate, safe, and fastest route to any destination, Peter Gasper, an IT security engineer reported a vulnerability in the Google-owned app allowing attackers to identify nearby drivers on the Waze app and track their location in real-life.
The vulnerability existed in Waze API which worked in such a way that once using the app on a web browser (Livemap Waze) the researcher was able to request coordinates of nearby drivers along with his own. This not only exposed the real-time privacy of users but also put their physical security at risk.
According to the researcher, the coordinates, other than traffic details, also contained Unique Identity Numbers (UID) of each driver which did not change over time. Gasper then decided to track one of the drivers and identified them again with the same coordinates on the same road.
Gasper did so by developing a Chromium extension and was therefore able to follow unique users on the live map via the API. An attacker could find out the ID of a Waze app user and keep an eye on a known environment where the target regularly visits the live map, Gasper wrote.
“I decided to track one driver and after some time she really appeared in a different place on the same road,” Gasper explained. “I have spawned code editor and built Chromium extension leveraging chrome.devtools component to capture JSON responses from the API. I was able to visualize how users broadly traveled between the city districts or even cities themselves.”
Furthermore, the security researcher found a method to link IDs to usernames. If Waze app users reported a roadblock in the app, for example, the API would send both the ID and username to all Waze users in the area. Users only see that information when the reporter adds a response, but even if the reporter does not, the details were sent via the API.
Moreover, Gasper noted that an attacker could monitor various locations where obstacles have been reported in order to identify the IDs and usernames of Waze users that confirm the obstruction. In this way, it was possible to create a database of Waze IDs and the associated usernames. Gasper notes that many people use their real names.
The good news is that Google has fixed the vulnerability and in return, the researcher was awarded $1,337 through Waze’s bug bounty program in January. However, the details of the vulnerability were only published by the researchers in August 2020.
Nevertheless, this is not the first time when a vulnerability in the Waze app risked the security and privacy of its users. In 2016, a critical vulnerability in the app also allowed attackers to spy on users.