A flaw found in Google's navigation app Waze made it possible for bad actors to track individual users and even narrow down their real identities. The issue was reported to Google by security researcher Peter Gasper, and a patch has since been issued.
Gasper was paid $1,337 by Google for reporting the flaw through its official bug bounty program. There's no evidence it was ever used by malicious characters.
Oop — The vulnerability was in the developer API for Waze, which was openly revealing the usernames and ID numbers of people using the app, along with the GPS coordinates of places they'd been.
When users report obstacles in Waze that might cause traffic delays, their reports display in the app without usernames unless they write a comment. But Gasper found that the developer-facing API returned usernames in all reports, so a bad actor could periodically call the API to find the usernames of all people who confirmed an obstacle in a particular area. Gasper said many users tend to use their legitimate names as their usernames.
Even if someone doesn't report an obstacle, Waze regularly pings user locations in order to generate information on traffic density. An attacker could identify a victim's user ID in Waze by monitoring known places they frequent, like an office or grocery store.
Once an attacker had identified their target's username or ID, they could cast a net over a city or locale and monitor for a long period of time, save the data, and then search through it for all the locations their victim has been. Gasper made a tool that takes all the logged locations for a tracked user and visualizes it on a map.
In the picture above, Gasper compares a map in Waze showing icons representing other users of the app with his own map that shows the locations for one particular user he chose to track. Meaning he was able to look at the icon of a Waze user and then use the API to figure out who they were and follow them.
This "hack" isn't even a hack at all because that word itself implies that Gasper managed to break open a locked system. But Waze left all of this sensitive data out in the open for whoever could find it. That's... not great if someone is motivated enough to stalk another person.
Data for value exchange — Companies including Google ask users to hand over data with the promise that they'll get useful services in return. But as we're seeing here that collection can have adverse consequences if the data isn't protected properly. Many people don't even intuitively understand just how much data is being collected on them or how to delete it, and incidents like this one with Waze just add to existing distrust of tech companies over privacy matters.
You'll have to decide for yourself whether you can trust that Waze won't have any similar leakages in the future.