An amazingly simple security hole in the popular navigation app allows any user and even third-party applications to access and read your navigation history, and even change the advertisement application. All the details are here
A security breach was discovered at Waze that lets users make changes to the application, remove the advertisements and access the navigation history. Waze explained to Geektime that they know about the problem and that the solution already exists in beta, but it has yet to be updated for mobile users.
What’s this? Any Android app can, if it wants to do so, write files on the operating system on the device’s internal and external memory. Application developers have several options to write these files – in encrypted form and protected, and in unencrypted form amounting to a simple text file.
The Waze app developers chose to write the configuration file of the application (Settings) and the file containing the preferred destinations and history navigation of the user (History) in plain text, without any encryption so that any user who wants can change the settings there and cause the application to behave as he wishes, or alternatively, can retrieve data from the file on the user’s history or even worse – they have the possibility of reading from the internal memory or the memory card of the phone and can change these files as they see fit.
Waze files can be found in the main folder of a device’s internal memory (SD-card folder):
The first file contains a list of recent navigations on Waze, and your own favorites.Here’s a zoom from our device as of now:
As you can see, you can read the list of favorites and navigation history on your device in English (or Hebrew) very clearly, and the form of reading allows other applications to access this information, and to do to it as it pleases. They can rename favorites, or worse, locations – so that choosing a location from your history will not necessarily get you to that same place the next time you select it.
The second file, Preferences, includes various settings that Waze probably would not want anyone to have access to:
By changing a number of settings in this file you can completely eliminate all the advertisements displayed on Waze. You can also change the links Waze presents in the help videos, or in any other video you want (even with malicious sources), and you can change the server address for Waze advertisements and replace it with another server, which could present another application of foreign content.
It is important to note that this flaw is in the general application and not a hole in the entire system that could affect all who use Waze. The flaw does not allow access to user accounts or passwords. However, one must take care when granting applications permission to read/write internal memory on a device when the application can change these files as it pleases. To illustrate the breach, you can change these settings as desired, as long as you have a file manager and text files editor installed on the device.
Response from Waze: The next version will repair the bug
Fej (Yuval) Shmuelevitz, VP Community and Operations at Waze responded to Geektime saying “These files existed until now mainly for people who wanted to change the colors and play with the Waze user interface. The vulnerability that was demonstrated in the article does not demonstrate any danger that would result in stolen information or the compromising of user names and passwords.”
“However, we are aware of the issue and changed the behavior of the application in the current beta version of Waze, so it will be updated and corrected for all users along with the launch of the next stable version of Waze. It is important to note that those who wish to use this vulnerability to install malware on a victim’s device, the most least likely place for them to target would be their history files. Nonetheless, these files will not be accessible in the next version.”
Thanks to Lior Harsat for helping out with this article.