A serious vulnerability has been discovered in the Waze app that could allow tracking other users’ locations in real-time. The bug risked the privacy of millions of users.
Waze App Vulnerability
Security researcher Peter Gasper discovered a vulnerability in the Waze app that risked other users’ privacy.
As elaborated in his blog post, the flaw basically existed in the Waze API that allowed anyone to keep tracking other users’ locations in real-time.
For those who don’t know, Waze is an online navigation tool owned by Google. It works on GPS to give directions, traffic alerts and maps in real-time.
Users, while online, can see other driver icons on the app. That’s where the problem existed. The researcher noted that he could easily request the coordinates of other drivers along with their identification numbers (ID). Hence, it became possible to track them in real-time. Eventually, it further allowed tracing the IDs to the original users.
I found out that if user acknowledge any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place. The application usually don’t show this data unless there is an explicit comment created by the user. But the API response contains the username, ID, location of an event and even a time when it was acknowledged.
Since most users have their real names as usernames, it became possible for an adversary to build a database of the users, their names, and IDs.
Google Fixed The Bug
Upon discovering the data leaking flaw back in December 2019, the researcher reported it to Google via their Vulnerability Reward Program.
Consequently, Google patched the bug whilst awarding a $1337 bounty to the researcher.
Recently, a researcher also shared findings of vulnerabilities in Google Maps for which Google awarded a $10,000 bounty.