Looks like there is an issue with their blog at https://blog.waze.com also: "The webpage at https://blog.waze.com/ might be temporarily down or it may have moved permanently to a new web address."

I suspect that these pages may, in fact, be compromised.

Although I can't access either with Chrome - due to the re-direct to https and the security certificate mismatch - I can access them with Internet Explorer (IE11).

I have Adobe Flash set to click-to-play, so no Flash content can run automatically. Both these pages want to run Flash content. I don't think the blog pages uses Flash. I'm pretty sure the status page doesn't!

WordPress has a long history of security vulnerabilities & hijacks, so it wouldn't surprise me if these pages were compromised. More importantly the last month has seen several highly critical vulnerabilities revealed in Adobe Flash, meaning that any Windows computer that is not fully patched can be infected with no user interaction. The presence of unexpected Flash content is therefore a massive red flag.

Please note that I am now 100% convinced that, at least, status.waze.com has been compromised.
[EDIT] No I'm not - see next post.

Thank you to bz2012 who forwarded me some detailed information. There is some extremely suspicious data being served up by the status page. I have reported all of this directly to Waze, but we probably won't hear anything until Sunday morning.

In the meantime, I strongly advise you to avoid status.waze.com and blog.waze.com, regardless of your OS, plugin availability or patch level.

I would also strongly advise you to change settings so that Adobe Flash Player is in "click-to-run" mode, such that Flash content can only run if you specifically enable it. And, although you can override this setting for some websites (depending on your browser), I would also advise never doing so. Instructions for various browsers

Adobe Flash is a constantly-vulnerable target. For years now there has been a steady stream of critical security flaws in Flash Player and there is no sign that this will stop. Flash is used in too many places for removing it to be really convenient, but allowing Flash content to play automatically is the online equivalent of walking the school halls with a "KICK ME" sign taped to your back.

Firstly, I have had a response from Waze about this issue:

Guys, the pages are safe. What you posted are additions by wordpress that we have no control over, but are not security issues.

On that basis, and also a comment from someone else who is familiar with this sort of thing, I'm willing to accept that the previously-mentioned suspicious content served up by the Status page is OK: suspicious-looking, but not actually malicious.

So I withdraw my earlier statement - these pages are probably OK. What we are probably seeing here is the result of poor security practices:

• Unnecessary use of Flash. The Flash content on status.waze.com appears to be something to do with emojis. Not malicious, but does it really add anything to the page? Certainly nothing visible I can see. As for blog.waze.com, someone has pointed out that it isn't a Wordpress site. Also, to be fair, I could see Flash content might reasonably be posted here: videos and that sort of thing.
• Security certificate problems. This issue has only really been highlighted because Chrome is constantly hardening it's security features. Internet Explorer doesn't have a problem. I suspect the latest version of Chrome is somehow deciding that the 2 sites can be accessed by https and insisting on doing so. That is then highlighting a certificate problem that wasn't relevant with http.
  Having said that, since they publish the website, Waze should have dealt with this issue before. This issue has also been raised directly with HQ and we're awaiting a response.

My advice about disabling auto-running of Flash content still stands: nothing to do with Waze specifically, but as a general matter of protecting your computer. I'm not a security expert, but I have been sysadmin of a small company for 15 years and I've managed to prevent any infections on up to 150 computers in that time.

Not working for me, either. Chrome is still redirecting to the https page.

Yes, having the same issue as well with Chrome and I know several other editors are also.

Exact same issue here. I've tried flushing the DNS cache and clearing Firefox's history. It's definitely being forced server-side.

It breaks wme tiles update sceipt.

Sill have the same problem under Firefox 39, Firefox 40 (Beta), Firefox Developper Edition and Chrome.
DNS flushed, cache empty

Seems to be solved for me since this morning on Firefox Developper Edition.