Waze flaw allows hackers to track the live location of any user. Update your app right now

Waze has become one of the most widely used platforms by drivers around the world, although it is a widely known fact that developers need to improve multiple aspects of the app, mainly in terms of safety.

Peter Gasper, a cybersecurity specialist, reported finding a critical vulnerability in Waze that allowed him to track the real-time location of a random driver, as well as identify the stops the target user made. Gasper ensures that this is due to the way the app is built.

When using Waze, the app displays other users’ icons in nearby locations, allowing the researcher to use the app’s web interface to request the Waze API and find the coordinates of their own location and that of other users. When analyzing the data returned by the API, Gasper discovered that the IDs associated with the user icons were updated with this maneuver.

La imagen tiene un atributo ALT vacío; su nombre de archivo es wazebody.jpg

“The location of the drivers is really updated; I created a code editor and built a Chromium extension using the chrome.devtools component to capture JSON responses from the API. This completely exposes the location of users,” Gasper says.

This is bad enough, though the worst is yet to come. Subsequent analysis allowed the researcher to identify the identity of users using the event reporting feature in Waze: “If a user reports a traffic jam on the road, the API returns the user’s ID along with their name to any other Waze implementation nearby; although the user may or may not display their data, the API contains all their information,” alade Gasper.

Threat actors could identify any user by abusing these functions, determining their identity and near-exact location. The fault was reported to Google, Waze’s owning company, which was quick to release a fix. For his finding, Gasper received a payment as part of the company’s rewards program.