Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information associated with its users and drivers, TechCrunch has exclusively learned.
The flaw, discovered by security researcher Renganathan P, was related to a website form meant to collect feedback from Rapido auto-rickshaw users and drivers. The form exposed the full names, email addresses, and phone numbers of individuals, which TechCrunch has seen based on the details provided by the researcher.
The researcher told TechCrunch that the exposed data pertained to one of Rapido’s APIs, which was meant to collect and share information from the feedback form with a third-party service used by Rapido.
TechCrunch verified the exposure by submitting a generic message through the feedback form, which we saw appear soon after as a record in the exposed portal.
As of Thursday, the exposed portal had over 1,800 feedback responses, which included a large number of phone numbers belonging to drivers and a lesser number of email addresses, the researcher said.
“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” the researcher told TechCrunch.
Soon after TechCrunch contacted Rapido about the spilling data, Rapido set the exposed portal to private.
“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” Rapido CEO Aravind Sanka said in a statement emailed to TechCrunch. Sanka remarked that the collected phone numbers and email addresses were “non-personal in nature.”
