Screen view of the Waze traffic GPS app on an iPhone. The application gives users real time traffic GPS service, the ability to crowd-source report on road hazards, standstill traffic, police activity, and photo traffic cameras.
Photograph by Linda Davidson — The Washington Post/Getty Images
By David Meyer
April 27, 2016

Google’s(goog) Waze navigation app has flaws that could allow someone to stalk a user in real-time, according to researchers at the University of California, Santa Barbara.

The researchers previously made Google aware of the problems, and it seems the company mitigated some but not all of them. Fusion writer Kashmir Hill allowed the reseachers to track her over a three-day period.

The technique involves creating “ghost cars” on Waze’s systems that, due to the app’s social nature, can monitor the real drivers around them. It can also be used to create fake traffic jams.

Get Data Sheet, Fortune’s technology newsletter.

Thanks to Waze’s mitigation of the problems, the technique only works when Waze is running in the foreground, not when it is running in the background.

However, although Google claimed to have instituted a “cloaking” mechanism to occasionally obscure the user’s actual location, Hill wrote that the researchers were able to compile an accurate series of time-stamps for her journeys.

The key for the researchers was being able to perform a “man-in-the-middle” attack on Waze’s systems, inserting their own computers in-between the company’s servers and a user’s phone, in order to figure out how the communications work and thereby dupe the system into accepting those phantom cars.

For more on Google, watch:

They claim the same technique could be used on many other apps, allowing attackers to hoover up all kinds of personal information.

SPONSORED FINANCIAL CONTENT

You May Like

EDIT POST