Researchers have shown that the Waze navigation app from Google (NASDAQ: GOOG) could be used to stalk someone in real-time using "ghost cars" but proper safeguards have been implemented.
Google has been made aware of the Waze problem and they have tried to fix them but it seems that there are still some bugs and vulnerabilities that can be exploited. Waze has already tried to implement new safeguards in order to block the known exploits.
Researchers from the University of California in Santa Barbara have reverse-engineered the data that Waze sends to their servers and client applications. They were able to create "ghost drivers" that can be used to track another Waze user's location in real-time, PC Mag reported.
Waze said that they appreciate the effort of the researchers and their initiative to bring the problems to their attention. They have already placed safeguards that would prevent ghost riders and ghost cars from affecting the whole behavior and experience of the app.
In addition, Waze believes that there have been no known real life occurrences in which a user was being tracked by someone else. The Fusion reporter that was involved in showing how the exploit was used also gave her location and username to the researchers which has led to them easily processing the hack.
Previously, the exploit could be used even while Waze is running just in the background. The new safeguards that Waze implemented now requires the app to be running in the foreground for the exploit to work.
In that sense, there would be no hacker that will be able to track someone for 24 hours a day and seven days a week unless the user leaves the app running all day and all night long. Users can also prevent being tracked by switching the Invisible mode on.
The researchers managed to use the ghost drivers or ghost riders by performing a "man-in-the-middle" attack, Fortune reported. Their computers and devices were virtually placed in-between the Waze servers and any of the user's smartphones.
Unfortunately, the Invisible mode setting resets after every use of the app. Waze believes that the community wants to help the app improve by sending a part of their information in order for a smoother experience.
The researchers will be presenting a paper regarding the Waze hack at the MobiSys conference that will be held in Singapore in June. They believe that Waze won't be the last app to be vulnerable against the kind of attack they did.