The exploit leverages the Waze feature that shows you nearby users, showing that the data you’re seeing is live and giving you options should you need help. The researchers created hundreds of fake driver profiles, which would keep tabs on a given real profile and track its location more or less in real time.
“We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities,” read the Waze blog post addressing the issue.
The company pointed out, however, that the reporter had given the researchers her username and starting location (a nice head start), and that the exploit only worked when the app was open and active — at which point your location is being shared with people around you anyway. You can also defeat the exploit by turning on “invisible mode,” which seems like the first step you’d want to take if you were worried about being tracked.
More details on the exploit and others like it will be presented by the researchers at MobiSys in June.