Waze has come a long way since its launch back in 2008. Winner of the Best Overall Mobile App award at the 2013 Mobile World Congress, the Israeli based startup was sold to Google last year for a whopping $1.3 Billion. Unfortunately, two students from the Technion have revealed a huge security issue in the popular app.
The revolutionary Israeli navigation software made waves by integrating social networking into its user interface and enabling commercial collaborations with strategic businesses. Even Google couldn’t afford to stay indifferent to the app’s massive potential.
Everything was looking bright until Shir Yadid and Meital Ben-Sinai, software engineering students at the Technion Institute of Technology in Israel, found a glaring loophole in the application. Waze are aware of the POC, but have not released any security patches so far.
Yadid and Ben-Sinai were successful in launching an organized cyberattack on the application. They managed to create a large amount of fake users by fooling the app to believe that the registrations are being made from unique smartphones. The next stage was orchestrating a fake “botnet” to report a bogus traffic jam at a random location.
The results were worrying. Waze fell prey to the malicious manipulation and reported a traffic jam at the desired location, sending real drivers via alternate routes. The app apparently has no real real-time security solution to avoid or even locate external interventions. The students have sent their proof-of-concept to Waze for further inspection.
Waze is a multi-platform application, compatible with Android, iOS, Windows Mobile and even lesser-used OSs such as Symbian and Blackberry. Hence, its extremely important to eliminate vulnerabilities so that the drivers don’t fall prey to criminally or commercially motivated manipulations. Application layer security is the call of the hour.
To read more about Source Code Analysis (SCA) security and its benefits – Click Here
Source – Technion Students Hack Waze
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.