Google’s Waze security glitch allows hackers to track drivers and identify users


    A vulnerability was identified in Google’s Waze, a GPS navigation software, that enables hackers to locate and identify users using their location. This vulnerability was identified by Security DevOps engineer Peter Gasper. The problem was reported to Google in December the previous year and Gasper received a bug bounty of $1,337 in January 2020. The issue has been fixed now.

    “Based on a reward size I think they consider it as a ‘potential’ misuse or possible vulnerability without any active harm done,” Gasper said. 

    Waze is utilized by drivers all around the world to share real-time data on traffic, accidents, and halted roads by solely keeping the app open. The app was developed for private cars so presently it doesn’t support navigating in lanes dedicated to public transportation, trucks, or bicycles.

    Gasper’s investigation into Waze started when he found that he could access Waze from any web browser at and he decided to test how driver icons are enforced. He noted that Waze API can provide data on a location by delivering the location’s coordinates. Besides, it also delivers coordinates of other drivers who are nearby. To his surprise, the identification numbers correlated with the icons were not changing with time, so he decided to track one driver and after some time she appeared in a different place on the same road.

    Gasper proceeded with his research to discover a way to translate ID to a username or vice versa. He was successful when he found that if a user acknowledges any road obstacle or reported police patrol, user ID along with the username is returned by the Waze API to any Wazer driving through that place.

    “The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event, and even a time when it was acknowledged,” Gasper said in his blog post.

    He clarified that attackers can pick numerous locations with elevated traffic and occasionally call API and crawl the users that confirmed the validity of an obstacle. As many people use their real names as usernames, an attacker can assemble a dictionary of user names and their IDs. They can also store all the icon locations and relate them to the user.

    Recent Articles

    Cypress announced the release of Cypress Component Test Runner, the leading automated testing platform announced on 6th April 2021, the release of Cypress’s dedicated Component Test Runner. The Test Runner is formulated...

    Weekly Newsletter (4th Apr’ 21 to 10th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. Tricentis acquires Neotys to broaden its continuous software testing capabilities - Tricentis,...

    Catchpoint announces General Availability of WebPageTest API with enhanced features

      Catchpoint, the digital experience monitoring solution provider announced on 6th April 2021, the public availability of the WebPageTest API which was initially accessible by...

    Dynatrace introduces Cloud-Based Automation to enhance its Software Intelligence Platform

      Software intelligence corporation Dynatrace has enhanced and added new capabilities in cloud-based automation to its software intelligence platform. The capabilities are provided through a...

    FailQonf – Conference on Failures around Testing & Quality

      FailQonf is a Software Testing Conference organized by The Test Trible - India's largest Software Testing Community. While Failure is a common element of...

    Related Stories

    Stay on op - Ge the daily news in your inbox