A vulnerability has been discovered in Google's GPS navigation software app Waze that lets hackers identify and track users.
Autoevolution.com reports that the flaw was discovered by security engineer Peter Gasper. When using the app's web interface, Gasper discovered that he could request the Waze API to display not only his coordinates, but also those of other drivers traveling nearby.
The data returned by the API showed unique identification numbers for the icons on the map that represented other drivers. Those ID numbers did not change over time, making it possible for anyone who exploited the flaw to track a particular app user over their entire journey.
“I decided to track one driver and after some time she really appeared in a different place on the same road," explained Gasper. "I have spawned code editor and built Chromium extension leveraging chrome.devtools component to capture JSON responses from the API. I was able to visualize how users broadly traveled between the city districts or even cities themselves."
Further investigation by Gasper revealed that a threat actor could access the actual names of users who had interacted with the app.
“I found out that if a user acknowledges any road obstacle or reported police patrol, user ID together with the username is returned by the Waze API to any Wazer driving through the place," said Gasper.
"The application usually doesn’t show this data unless there is an explicit comment created by the user, but the API response contains the username, ID, location of an event and even a time when it was acknowledged.”
In December, Gasper reported the vulnerability to the Google-owned company Waze, earning a $1,337 bug bounty for his discovery. The flaw has since been patched.
“Across any given enterprise, API-based vulnerabilities are rampant, creating easy opportunities for malicious actors to exploit. That’s why it’s so important for organizations to have runtime visibility into all APIs," commented Jason Kent, Cequence Security's hacker in residence.
"Enterprises need, at all times, to be able to answer simple questions like: how many APIs do we have and who owns them; have the appropriate levels of authentication and access controls been enabled; and what type of data are your APIs transmitting?"