Google has already patched “an API flaw that allowed a security researcher to use the app to find the real identity of drivers using it.” However, a security researcher recently discovered a vulnerability in the Google Waze app that can actually allow hackers to use the popular navigation app to identify people and even track them by their specific location.
Peter Gasper, a Security DevOps engineer, discovered an API flaw in “the navigation software that allowed him to track the specific movements of nearby drivers in real-time and even identify exactly who they are, he revealed in a blog post on his research website, “malgregator.” Waze uses crowd-sourced info aimed at warning drivers about obstacles that may be in their way of an easy commute–such as traffic congestion, construction, accidents and the like—and then suggests alternative and faster routes around these obstacles.” The application also displays the specific GPS locations of other drivers that are nearby.
Furthermore, Gasper reported the latest Waze bug to Google this past December and was rewarded a bounty for the bug of $1,337 --from Google’s Vulnerability Reward Program in January 2020--publicly disclosing the issue in August. Google announced it has already patched this flaw. Gasper explained that his research began “innocently enough when he realized he could visit Waze from any web browser at waze.com/livemap and decided to see how the app implemented the icons of other drivers nearby. He discovered that not only does Waze send him the coordinates of other nearby drivers, but also that the “identification numbers (ID) associated with the icons were not changing over time,” Gasper observed in his post. By spawning a code editor and building a Chromium extension to capture JSON responses from the API, the researchers found that he could visualize how users broadly traveled between the city districts or even cities themselves.”
Originally inspired by a research paper--that was published in 2013--and argued that only four spatio-temporal points are enough to uniquely identify 95 percent of people, Gasper has cited his decision to go a step further in an attempt to specifically identify the drivers that he was able to track with the Waze app. He started with his own ID and then used only the Waze map, which helped him realize that in a low-density area, he could actually track his very own ID by monitoring his own location. Gasper concluded that with enough time, “an attacker would find out the victim ID by stalking its known location...however, realizing this would not scale for multiple users, he dug deeper and found ‘another privacy leak’ that would allow hackers to identify a broader range of specific drivers using Waze.”
Gasper ultimately observed that with the contingency of a user acknowledging any “road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place. The application usually [doesn’t] show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged.” In an effort to utilize this key vulnerability, an attacker can simply select several locations that exhibit both “high traffic and existing short/long-running notification on the obstacle, and then periodically call the API and find users that [confirm] the existence of an obstacle.”
Because so many users tend to use their real names as usernames within the app, this provides an opportunity over time for an attacker to “build a dictionary of user names and their IDs,” in addition to “stor[ing] all the icon locations and correlate them with the users.” Rumors that Waze and similar apps using crowd-sourced information may be insecure began surfacing a few years ago with a past report from researchers at the University of Santa Barbara. These researchers observed that when a Waze user was identified, the specific GPS location of that particular person could be simulated and copied, creating a “ghost rider.” This would then allow someone to virtually follow this user, using “a man-in-the-middle attack” and track their GPS locations.
Comments