Waze app
Waze says its GPS sat nav app was not to blame for Israeli soldiers accidentally straying into Palestinian TerritoryReuters

Researchers from the University of California, Santa Barbara have discovered a vulnerability in Google's popular navigation app Waze that can allow hackers to stalk a user in real-time. Although the research team had made the tech-giant aware of the issues earlier, the company subsequently solved some but not all of the problems.

By inserting their own computers in-between the company's servers and a user's phone and reverse-engineering Waze's server code, the researchers found that they could create thousands of "ghost drivers" on Waze's systems. Due to the app's social nature, these ghost cars can monitor the real drivers around them and even create virtual traffic jams - an exploit that could be used by malicious hackers to track Waze users in real-time.

The hack only works when the app is in the foreground as Waze had "turned off" the background location sharing feature in January. It also breaks when a user switches on the app's invisibility mode. However, the vulnerability could put millions of users, who depend on the community-centric app to monitor traffic and find the best route to their destination, at risk of being followed.

Kashmir Hill, a writer at Fusion, helped researchers demonstrate the flaw by allowing them to track her over a three-day period, which they managed to perform successfully.

"Waze constantly improves its mechanisms and tools to prevent abuse and misuse," a spokesman for Waze told Fusion. "This group of researchers connected with us in 2014, and we have already addressed some of their claims, implementing safeguards in our system to protect the privacy of our users." The company described one of the safeguards implemented is a "system of cloaking", which means users' locations are not shown on the app consistently or in real time.

Waze also released a statement in response to the study and an unnamed "news article" to address what it calls "severe misconceptions" on 27 April.

The company said faux cars are the norm in places where Waze is new, adding that these "comforting" icons are a "reminder that we are all in this together and there are others ahead in your journey who may be able to help". They also argue that since the reporter in the article gave her location and username to the research team it "greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders".

However, Hill said that the use of basic information to track one's whereabouts is precisely the point of the test. "I did give my location to the researchers, [and] it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to then follow my movements using Waze," Hill said in an email to Recode.

The company says the research did prompt a change in its privacy safeguards in the last 24 hours. "We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities," Waze said. "None of these activities have occurred in real-time and in real-world environments, without knowing participants."

The latest vulnerability is not the first time Waze has proven to be unreliable. In 2015 reports claimed that an elderly woman was shot dead in Rio de Janeiro after allegedly following the GPS app that sent her and her husband through a dangerous, crime-ridden favela. In 2014, two Israeli students successfully hacked the app and used emulators to flood it with fake cars and report non-existent traffic jams.

According to researchers, the hack could potentially work on many other apps as well.

"With a [dating app] you could flood an area with your own profile or robot profiles and basically ruin it for your area," said researcher, Ben Zhao. "We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability."

The team will be presenting the paper on their findings at the MobiSys conference in Singapore in June. Google had purchased Waze, an Israeli start-up, for $1.1bn in 2013.