Waze users could be tracked via web API

A security researcher discovered that it was possible to track users through the Waze website. If those users made a report via the app, their username could be linked to an ID. Waze has fixed the privacy issue.

Waze’s live map shows icons of nearby users. That representation should be anonymous, but security researcher Peter Gasper discovered that icons were provided with a unique identifier. Gasper made a Chromium extension and was thus able to follow unique users on the live map via the API. An attacker could find out the id of a Waze user by, for example, keeping an eye on a known environment where the target comes regularly on the live map, Gasper writes.

The security researcher also found a method to link IDs to usernames. If Waze users reported a roadblock in the app, for example, the api would send both the id and username to all Waze users in the area. Users only see that information if the reporter adds a response, but even if the reporter does not, the details were sent via the API.

According to Gasper, an attacker could monitor different locations where obstacles have been reported in order to identify the IDs and usernames of Waze users confirming the obstruction. In this way it was possible to create a database of Waze IDs and the associated usernames. Gasper notes that many people use their real names.

The security researcher found the vulnerability in December last year and reported it to Waze. A few days after his report, Waze acknowledged the problem and the service made adjustments so that users can no longer be tracked. Gasper was awarded $ 1,337 through Waze’s bugbounty program in January. The details about the vulnerability have only recently come out, after the researcher wrote a blog about it.

Waze users could be tracked and identified via API