The makers of Google’s traffic app Waze have defended it against claims it can be used to track the location of users.

The app depends on real-time updates from users regarding traffic. Researchers at the University of California Santa Barbara said “lack of strong location authentication” allows the creation of software which can expose Waze’s crowdsourced map systems to a variety of security and privacy attacks.

The report claims a single so-called Sybil device “can cause havoc on Waze”, reporting false congestion and accidents and automatically rerouting traffic. It also said researchers were able to “create armies of virtual vehicles capable of remotely tracking precise movements for large user populations while avoiding detection”.

However, Waze said it is constantly reviewing and adding safeguards to protect its users and that the research had led to “a few severe misconceptions” in related news coverage.

It said the figures that show the location of drivers are not in real-time but “minutes old”, and a random snapshot of activity in an area, adding that users always can always choose invisible mode so that their icon doesn’t show on the map.

It also said a user involved in the research had given their location and user name, which “greatly simplified the process of deducing sections of her route… by using a system of ghost riders”.

Waze did say it appreciated the efforts by the researchers and has “implemented safeguards” to address the vulnerability and prevent ghost riders from affecting system behaviour and performing tracking activities.

Last year, the New York City Police Department asked Google to deactivate a feature on Waze that allows users to share the presence of police in real-time.