Last week, I tested the Waze vulnerability myself, to see how successfully the UC Santa Barbara team could track me over a three-day period. I told them I'd be in Las Vegas and San Francisco, and where I was staying — the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.
In its response, Waze notes that faux car icons are the norm — a way to make users feel like they're not so alone in places where Waze is new. And it insisted that "a stranger cannot" find or follow you while using the app.
More from Re/code:
Venmo is growing ridiculously fast
KISS guitarist Tommy Thayer is doing an app for kids
Self-driving cars will be huge for disabled people
Plus, there's a hitch here, Waze countered: Hill wanted to be found. "The reporter in the article gave her location and username to the research team," the post reads, "which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders."
But that, Hill said via email, is just the point: "I did give my location to the researchers, [and] it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to then follow my movements using Waze."
Still, the company said the research prompted a change in its privacy safeguards:
We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.
Waze declined to comment on what those safeguards are exactly.