Google’s(goog) Waze navigation app has flaws that could allow someone to stalk a user in real-time, according to researchers at the University of California, Santa Barbara.
The researchers previously made Google aware of the problems, and it seems the company mitigated some but not all of them. Fusion writer Kashmir Hill allowed the reseachers to track her over a three-day period.
The technique involves creating “ghost cars” on Waze’s systems that, due to the app’s social nature, can monitor the real drivers around them. It can also be used to create fake traffic jams.
Get Data Sheet, Fortune’s technology newsletter.
Thanks to Waze’s mitigation of the problems, the technique only works when Waze is running in the foreground, not when it is running in the background.
However, although Google claimed to have instituted a “cloaking” mechanism to occasionally obscure the user’s actual location, Hill wrote that the researchers were able to compile an accurate series of time-stamps for her journeys.
The key for the researchers was being able to perform a “man-in-the-middle” attack on Waze’s systems, inserting their own computers in-between the company’s servers and a user’s phone, in order to figure out how the communications work and thereby dupe the system into accepting those phantom cars.
For more on Google, watch:
They claim the same technique could be used on many other apps, allowing attackers to hoover up all kinds of personal information.