Tracking Users on Waze

A security researcher discovered a wulnerability in Waze that breaks the anonymity of users:

I found out that I can visit Waze from any web browser at waze.com/livemap so I decided to check how are those driver icons implemented. What I found is that I can ask Waze API for data on a location by sending my latitude and longitude coordinates. Except the essential traffic information, Waze also sends me coordinates of other drivers who are nearby. What caught my eyes was that identification numbers (ID) associated with the icons were not changing over time. I decided to track one driver and after some time she really appeared in a different place on the same road.

The vulnerability has been fixed. More interesting is that the researcher was able to de-anonymize some of the Waze users, proving yet again that anonymity is hard when we’re all so different.

Tags: , ,

Posted on October 29, 2020 at 9:52 AM4 Comments

Comments

Andy October 29, 2020 10:39 AM

It’s a vulnerability because users don’t expect that the world not just Google (Waze?) can view their road trips

Clive Robinson October 29, 2020 10:49 AM

@ Bruce, ALL,

proving yet again that anonymity is hard when we’re all so different.

Eventually people will realise that redaction and anonymity are but two sides of the same Mobius strip.

It’s also why it is best “To lie with the truth”.

Information is what the ancient Greeks called “a tomos” or “uncutable” each piece of information is meta-information about other information. If you seek to change one part you have to change the whole, otherwise evidence of the change exists, and can be followed to the change from many different routes.

xcv October 29, 2020 12:31 PM

I decided to track one driver and after some time she really appeared in a different place on the same road.

The vulnerability has been fixed.

“Fixed.” That’s almost a classic. There’s a male mechanic ripping some gal off at the body shop, and he’s already “fixed” her car, and has a lien against the title.

Guns are banned, and cyberstalkers are stalking in real life for opportunities to commit forcible rape or murder.

Is the gal supposed to shoot back at the guy, or press charges with the guys at the police station who are already buddies with the insurance agents, hospitals, and body shop owners? And then there’s some other dude “in the family” going to court to allege that the gal has mental problems and have her driver’s license revoked and make sure she doesn’t have any weapons.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.