The users of a popular community-based traffic and navigation app could be the targets of stalkers thanks to a vulnerability in the app’s software. But the company says there’s an easy workaround for concerned users.

A team of computer science researchers at the University of California-Santa Barbara recently demonstrated how drivers using the GPS-based Waze could be monitored by hackers. Using a feature of Waze that displays nearby drivers in real time, one driver can get location information about another driver instantaneously, the researchers noted in a study.

Ghost Drivers

In testing the hypothesis, the team built hundreds of fake driver profiles that they used to monitor real Waze profiles and track their locations. They did this by learning how the app communicates with Waze’s backend servers, then using that information to reverse engineer the app’s process. The team then created a software program that could send commands to Waze’s servers, creating a fleet of nonexistent cars that could report the locations of real cars.

The Waze app, which was originally called Freemap, was developed in Israel by a startup company, then acquired by Google in 2013. The program runs on smartphones and tablets with display screens that provide turn-by-turn information and user-submitted travel times and route details over mobile networks. Waze lets users add phone numbers to the registration process to cater to users who prefer sharing their locations with phone book contacts instead of a wider audience.

How did Waze feel about the UC-Santa Barbara team’s findings? Not thrilled. On its blog, the Waze team refuted many of the researchers' points. The Waze team explained that there were some extenuating circumstances that made it easier for the researchers to find drivers, including that a local TV reporter gave the researchers her Waze username and starting location.

Waze said that no stranger would give another Waze user that kind of information, and that it’s entirely up to each Waze user how much information it makes available on the platform. "A stranger cannot search for [or] find your Wazer on the map and follow you," Waze said on its blog.

Fixes Created

The exploit found by the UC-Santa Barbara researchers works only when the user’s app is open and active, at which time the app can share the user’s location with other drivers, Waze said. The app can easily be run in the background or set to invisible mode to keep other drivers unaware of the user’s location, according to the company.

The same researchers had previously found that they could track drivers with the app closed and running in the background, but earlier this year Waze issued a fix that stopped background geo-tracking via the app.

Nonetheless, the researchers plan to discuss the exploit and share other details at MobiSys, an international conference dealing with mobile systems, applications and services. The conference is planned for Singapore in June.

Image Credit: Screenshot via Waze blog.