Yesterday, research surfaced showing how Waze, the Google-owned driving assistance app, has a vulnerability that would let hackers track users’ whereabouts unbeknownst to them.
No way, Waze replied today. The Google unit released a statement addressing what it calls “severe misconceptions” about the study, released by researchers at University of California Santa Barbara, and an unnamed “news article.”
That article, I’ll venture, is from Fusion’s Kashmir Hill. She detailed how researchers, in essence, reverse engineered Waze’s servers to create several “ghost drivers” — fake versions of the little car icons you see on the app — that enable them to track other drivers in real time. She even applied the app’s bug hack to herself:
Last week, I tested the Waze vulnerability myself, to see how successfully the UC Santa Barbara team could track me over a three-day period. I told them I’d be in Las Vegas and San Francisco, and where I was staying — the kind of information a snoopy stalker might know about someone he or she wanted to track. Then, their ghost army tried to keep tabs on where I went.
In its response, Waze notes that faux car icons are the norm — a way to make users feel like they’re not so alone in places where Waze is new. And it insisted that “a stranger cannot” find or follow you while using the app.
Plus, there’s a hitch here, Waze countered: Hill wanted to be found. “The reporter in the article gave her location and username to the research team,” the post reads, “which greatly simplified the process of deducing sections of her route after the fact by using a system of ghost riders.”
But that, Hill said via email, is just the point: “I did give my location to the researchers, [and] it was a surprise to me that knowing where I live or where I work would be sufficient information for a hacker to then follow my movements using Waze.”
Still, the company said the research prompted a change in its privacy safeguards:
We appreciate the researchers bringing this to our attention and have implemented safeguards in the past 24 hours to address the vulnerability and prevent ghost riders from affecting system behavior and performing similar tracking activities. None of these activities have occurred in real-time and in real-world environments, without knowing participants.
Waze declined to comment on what those safeguards are exactly.
Waze’s parent, Google, has also faced criticism of its vulnerabilities, particularly around Android. In those cases, researchers found security holes, but never any incidences of actual hacks.
This article originally appeared on Recode.net.