Google’s Waze App Allows Hackers to Track Users
A vulnerability in Google’s popular Waze app has been discovered, where hackers have the ability to identify people and track them by their location. By tracking the specific location and movements of people, it was found that hackers are also able to identify exactly who the users are.
For those who don’t know, the way the Waze app works is by utilizing crowd-sourced information to warn drivers of any obstacles that may be in their way while they are traveling. Since it is crowd-sourced information that is collected, the app is able to reveal the GPS locations of other drivers who are nearby.
According to Security DevOps Engineer Peter Gasper, he discovered the flaw accidentally. After he realized he could visit Waze from any web browser, he curiously dug deeper to see how Waze used the icons of other nearby drivers. He found out that they were sending him the coordinates of the drivers and the ID’s of the drivers were staying the same over time.
Gasper then used his own ID on the Waze map and realized in a low-density area, he could track himself by monitoring his own location. He then found another “privacy leak” that allows hackers to identify and track a broader range of drivers. With this vulnerability, an attacker can pick multiple locations, even high traffic ones, then call the Waze API and find drivers who confirmed going through an obstacle.
Since many users use their actual name in the app, hackers have the ability to collect the names and ID’s over time.
Categorised in: IT Threat