A security researcher has discovered vulnerabilities in the Waze API that allowed him to accurately track users and their movements, and even pull data such as IDs and usernames.
With so many people using Waze all over the globe, it stands to reason that the platform collects large volumes of data. Problems arise when that data becomes available to regular users, letting them take a peek behind the curtain and use that private data for their gains.
Security researcher Peter Gasper started his analysis by taking a closer look at the Waze Live Map available in any browser. He was particularly interested in how the API deals with nearby drivers’ icons, and soon discovered he could force the platform to send him the coordinates of nearby drivers and their unique identifications numbers.
“Except the essential traffic information, Waze also sends me coordinates of other drivers who are nearby,” said the researcher. “What caught my eyes was that identification numbers (ID) associated with the icons were not changing over time. I decided to track one driver and after some time she really appeared in a different place on the same road.”
“I have spawned code editor and built Chromium extension leveraging chrome.devtools component to capture JSON responses from the API. I was able to visualize how users broadly traveled between the city districts or even cities themselves,” he continued.
Inspired by an older paper that showed how four spatial-temporal points are enough to uniquely identify 95% of the individuals, he was successful in tracking his ID. He also discovered that, the more users interacted with the apps, acknowledging road obstacles or reported police patrols, the more information he could use.
In theory, an attacker could pick a few very crowded spots with high traffic, and periodically call API and crawl the users that confirmed the existence of an obstacle. Since many people use their names as usernames, it would allow threat actors to build a dictionary of IDs and user names over time.
Fortunately, Google already fixed this vulnerability and awarded $1,337 through the Vulnerability Reward Program.