Security researchers at UC Santa Barbara found that they were able to create thousands of ghost drivers to monitor other drivers, by intercepting the encrypted communications between the Waze servers and users’ phones adn then reverse-engineering the protocol. The good news is that the tracking only works when Waze is running in the foreground on the device.
http://fusion.net/story/293157/waze-hack/
But there’s even better news. Waze fairly quickly came up with a fix to prevent the “ghost riders” from performing tracking or affecting the system’s behavior.