Google-owned app, Waze, responded to security concerns over a recent study that exposed some weaknesses from hackers in the app. Users could be followed if a hacker exploited the network by creating multiple ghost riders, claimed researchers.
Waze clarified that user’s accounts were not compromised and that there was no server breach. The team also assured that all the data from the accounts is safe, according to a statement from the app in a blog post.
“The Waze ecosystem is built upon trust and deep respect for all of you, real-time traffic simply does not work without the participation of our community, and we are constantly reviewing and adding safeguards to protect our users,” the team said.
Researchers then addressed a few ‘misconceptions’ about the research. The team involved in the study from the University of California discussed topics separately and by points. They clarified that strangers cannot search Wazer users on the map.
According to the statement, the users’ current location is not precisely shown for other Wazers. In addition, the random snapshot activity in the area doesn’t show the exact place the user is at. When they first entered new countries, Waze began marking community members on the map. This was a way to verify to newbies that the community was thriving locally and that traffic information was current.
Vulnerability allows real-time tracking of 50 million Waze nav app users https://t.co/LAZRsJlhTu via gcluley
— BrianHonan (@BrianHonan) April 29, 2016
In addition, the company said the reporter involved gave plenty of information that helped the hacking process to . She handed over her location and username to the research team. Something that simplified the process of deducing sections of her route. Which in turn disproves the security concerns at some point, considering users’ information is up to theirs to publish.
Reverse-engineering made U.C. able to break Waze’s security
Researchers from the U.C. declared that they learned how the app communicated with its back-end servers. What’s more, they used information to reverse-engineer the modus operandi of the app. After the first phase was done, they crafted a software that prompted Waze servers with commands. Therefore, virtually creating the ghost cars that were able to determine position of real drivers, as reported by Tech Times.
However, Waze added that Wazers choose how much information to give in the app and that they can always choose the invisible mode as well. This particular mode enables users to avoid their icon to be shown in the map, but this option resets everytime the app starts.