It's a similar SSL (Secure Sockets Layer) based exploit that Apple had to deal with back in 2014. Waze's servers certify the security of the connection by an SSL encryption, but UC Santa Barbara's graduate student research team and their professor, Ben Zhao, discovered that they could sneak in the middle of that connection.
As Waze shows the user other users of the app on the road, the team could create thousands of "ghost cars" for the app, which then enabled them to monitor the drivers around these digital cars. As well as successfully tracking a member of their own team, Zhao's students were able to follow the movements of Fusion.net's Kashmir Hill over three days, sending accurate time stamps that corresponded with each of the locations snooped out.
An earlier, fake traffic jam-creating exploit on Waze was patched up by the developers in January by forbidding the app from broadcasting the user's location when the app was running in the background on their smartphone. Currently, that only happens when the app is activated and used on the foreground, as proved by Kashmir Hill's trial tracking. The earlier safety update was said to be an energy-saving feature, which it undoubtedly is.
Zhao says that the vulnerability is "bigger than Waze," as the exploit could be successful on other kinds of apps as well, including creating bot profiles on a dating app. The vulnerability discovered by the team can be bypassed by switching on Waze's "invisible mode," but it is automatically turned off every time the app is restarted.