Google’s Waze security glitch allows hackers to track drivers and identify users


    A vulnerability was identified in Google’s Waze, a GPS navigation software, that enables hackers to locate and identify users using their location. This vulnerability was identified by Security DevOps engineer Peter Gasper. The problem was reported to Google in December the previous year and Gasper received a bug bounty of $1,337 in January 2020. The issue has been fixed now.

    “Based on a reward size I think they consider it as a ‘potential’ misuse or possible vulnerability without any active harm done,” Gasper said. 

    Waze is utilized by drivers all around the world to share real-time data on traffic, accidents, and halted roads by solely keeping the app open. The app was developed for private cars so presently it doesn’t support navigating in lanes dedicated to public transportation, trucks, or bicycles.

    Gasper’s investigation into Waze started when he found that he could access Waze from any web browser at and he decided to test how driver icons are enforced. He noted that Waze API can provide data on a location by delivering the location’s coordinates. Besides, it also delivers coordinates of other drivers who are nearby. To his surprise, the identification numbers correlated with the icons were not changing with time, so he decided to track one driver and after some time she appeared in a different place on the same road.

    Gasper proceeded with his research to discover a way to translate ID to a username or vice versa. He was successful when he found that if a user acknowledges any road obstacle or reported police patrol, user ID along with the username is returned by the Waze API to any Wazer driving through that place.

    “The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event, and even a time when it was acknowledged,” Gasper said in his blog post.

    He clarified that attackers can pick numerous locations with elevated traffic and occasionally call API and crawl the users that confirmed the validity of an obstacle. As many people use their real names as usernames, an attacker can assemble a dictionary of user names and their IDs. They can also store all the icon locations and relate them to the user.

    Recent Articles

    Brandessence Market Research predicts the RPA industry to reach 18339.95 Million in 2027

      The worldwide market of global robotic process automation (RPA) in terms of revenue was worth USD 2715.75 Million in 2020 and is anticipated to...

    Weekly Newsletter (16th Jan’ 21 to 22nd Jan’ 2021)

      Here’s the Weekly Newsletter from 2nd January’ 2021 to 8th January’ 2021: 1. The Test Tribe completes 3 Years! - ‘The Test Tribe‘ which is India’s...

    Moolympics: A Unique Software Testing Event

      Moolya Software Testing Private Limited is striving to change the course of testing by shifting the action from finding bugs to preventing bugs. They...

    Top 7 Cross-Browser Testing Tools

      Cross-browser testing is a process of evaluating the functionality of your web application on several browsers before pushing changes to production. Here is a...

    Robotic Process Automation (RPA) V/S Selenium

      Technology is at its peak and is progressing at an even faster pace. From automating a simple unit test to automating the whole business...

    Related Stories

    Stay on op - Ge the daily news in your inbox