(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
A security researcher found a vulnerability in Google’s Waze, a GPS navigation software, that can allow hackers to track and identify users by their location.
Security DevOps engineer Peter Gasper discovered a flaw in the API that lets hackers track movements of drivers and identify the users.
ADVERTISEMENT
“I have reported findings via Google vulnerability programme,” Gasper told The Hindu. “I described possible attack scenarios and they confirmed it as a valid issue.”
He added that the issue seems to be fixed now. However, Google has not responded to an email query at the time of publishing this story.
Gasper reported the bug to Google in December last year and received a bug bounty of $1,337 in January 2020, he revealed in a blog post.
ADVERTISEMENT
“Based on a reward size I think they consider it as a ‘potential’ misuse or possible vulnerability without any active harm done,” Gasper said.
Waze is used by drivers all around the world to share real-time information on traffic, accidents, and blocked roads by simply keeping the app open. Users should have an active data connection to use the service. The app was created for private cars so currently it doesn’t support navigating in lanes dedicated to public transportation, bicycles or trucks.
Gasper’s research iinto Waze began when he found that he could visit Waze from any web browser at waze.com/livemap and decided to check how driver icons are implemented. He noticed that Waze API can give data on a location by sending the location’s coordinates. Additionally, it also sends coordinates of other drivers who are nearby.
To Gasper’s surprise, the identification numbers (ID) associated with the icons were not changing over time, so he decided to track one driver and after some time she appeared in a different place on the same road.
He continued his research to find out a way to translate ID to a username or vice versa. He had success when he found out that if a user acknowledges any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place.
“The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged,” Gasper said in his blog post.
He explained that attacker can pick multiple locations with high traffic and periodically call API and crawl the users that confirmed the existence of an obstacle. As many people use their legitimate names as usernames, an attacker can build a dictionary of user names and their IDs. They can also store all the icon locations and correlate them with the user.