Kashmir Hill at Fusion shares the findings from a research team at University of California-Santa Barbara:
Here’s how the exploit works. Waze’s servers communicate with phones using an SSL encrypted connection, a security precaution meant to ensure that Waze’s computers are really talking to a Waze app on someone’s smartphone. Zhao and his graduate students discovered they could intercept that communication by getting the phone to accept their own computer as a go-between in the connection. Once in between the phone and the Waze servers, they could reverse-engineer the Waze protocol, learning the language that the Waze app uses to talk to Waze’s back-end app servers. With that knowledge in hand, the team was able to write a program that issued commands directly to Waze servers, allowing the researchers to populate the Waze system with thousands of “ghost cars”—cars that could cause a fake traffic jam or, because Waze is a social app where drivers broadcast their locations, monitor all the drivers around them.
I’ve never really understood the appeal of Waze. But there are more than 50 million people who use the app, making a vulnerability like this a serious problem. What’s worse is that this hack could be applied to virtually any other app.
“With a [dating app], you could flood an area with your own profile or robot profiles and basically ruin it for your area,” said [Ben Zhao, professor of computer science at UC-Santa Barbara]. “We looked at a bunch of different apps and nearly all of them had this near-catastrophic vulnerability.”
So be careful about which apps you allow to access your location. Or, turn off location services entirely.