A security researcher has discovered a vulnerability in Google’s Waze app that can allow hackers to identify people using the popular navigation app & track them by their location.
The company already patched an API flaw that allowed a security researcher to use the app to find the real identity of drivers using it.
Security DevOps Engineer Peter Gasper discovered an API flaw in the navigation software that allowed him to track the specific movements of nearby drivers in real time, & even identify exactly who they are, he revealed in a blog post on his research website, “malgregator.”
Waze uses crowd-sourced info aimed at warning drivers about obstacles that may be in their way of an easy commute–such as traffic congestion, construction, accidents & the like, & then suggests alternative & faster routes around these obstacles. The apps also displays the location of other drivers in close proximity as well as their GPS locations.
Gasper reported the latest Waze bug to Google in Dec., & was rewarded a bug bounty of $1,337 from Google’s Vulnerability Reward Program in Jan. 2020, disclosing the flaw publicly in Aug. The company said it already has patched the flaw.
Gasper explained that his research began when he realised he could visit Waze from any web browser at waze.com/livemap, & decided to see how the app implemented the icons of other drivers nearby.
He found that not only does Waze send him the co-ordinates of other nearby drivers, but also that the “identification numbers (ID) associated with the icons were not changing over time,” Gasper observed in his post.
By using code editor & building a Chromium extension to capture JSON responses from the API, the researchers discovered that he could “visualise how users broadly travelled between the city districts or even cities themselves.”
Inspired by a research paper published in 2013 that claimed that only 4 spatio-temporal points are enough to uniquely identify 95% of people, Gasper said he decided to go further to try to identify specifically the drivers he was able to track within Waze.
He started with his own ID, & used only the Waze map, discovering that in a low-density area, he could track his own ID by monitoring his own location.
“With enough time, an attacker would find out the victim ID by stalking its known location,” Gasper observed. However, realising this would not scale for multiple users, he then found “another privacy leak” that would allow hackers to identify a broader range of specific drivers using Waze.
“I found out that if user acknowledge any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place,” he explained in his post.
“The application usually don’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event, & even a time when it was acknowledged.”
To use this vulnerability, an attacker can choose multiple locations with high traffic & existing short/long running notification on the obstacle, then periodically call the API & find users that confirmed the existence of an obstacle, he observed.
Because many users actually use their legitimate names as usernames in the app, over time an attacker “can build a dictionary of user names & their IDs,” as well as “store all the icon locations and correlate them with the users,” Gasper commented.
Rumours that Waze & other apps using crowd-sourced information are insecure already surfaced some years ago with a report (PDF) from University of Santa Barbara, California researchers.
They discovered that once a Waze user was identified, they could echo the GPS location of that person by creating a “ghost rider.” This would give the ability to virtually follow the victim around via a ‘man-in- the-middle’ attack, reporting back their GPS locations.