A vulnerability was identified in Google’s Waze, a GPS navigation software, that enables hackers to locate and identify users using their location. This vulnerability was identified by Security DevOps engineer Peter Gasper. The problem was reported to Google in December the previous year and Gasper received a bug bounty of $1,337 in January 2020. The issue has been fixed now.
“Based on a reward size I think they consider it as a ‘potential’ misuse or possible vulnerability without any active harm done,” Gasper said.
Waze is utilized by drivers all around the world to share real-time data on traffic, accidents, and halted roads by solely keeping the app open. The app was developed for private cars so presently it doesn’t support navigating in lanes dedicated to public transportation, trucks, or bicycles.
Gasper’s investigation into Waze started when he found that he could access Waze from any web browser at waze.com/livemap and he decided to test how driver icons are enforced. He noted that Waze API can provide data on a location by delivering the location’s coordinates. Besides, it also delivers coordinates of other drivers who are nearby. To his surprise, the identification numbers correlated with the icons were not changing with time, so he decided to track one driver and after some time she appeared in a different place on the same road.
Gasper proceeded with his research to discover a way to translate ID to a username or vice versa. He was successful when he found that if a user acknowledges any road obstacle or reported police patrol, user ID along with the username is returned by the Waze API to any Wazer driving through that place.
“The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event, and even a time when it was acknowledged,” Gasper said in his blog post.
He clarified that attackers can pick numerous locations with elevated traffic and occasionally call API and crawl the users that confirmed the validity of an obstacle. As many people use their real names as usernames, an attacker can assemble a dictionary of user names and their IDs. They can also store all the icon locations and relate them to the user.