A security flaw in Rapido, one of India’s prominent ride-hailing platforms, exposed the personal information of users and drivers, raising significant concerns about data security. The vulnerability, reported by TechCrunch, allowed full names, phone numbers, and email addresses to be publicly accessible via a feedback collection portal.
The flaw, discovered by security researcher Renganathan P, was tied to one of Rapido’s APIs, which collected feedback data from a survey form and shared it with a third-party service. By submitting a generic message through the form, the report added that the submitted data appeared instantly in an exposed portal.
The portal contained over 1,800 feedback responses, many of which included driver phone numbers and a smaller proportion of email addresses. “This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply [the data] could have been exposed on the dark web if reached in the wrong hands,” the report said quoting the researcher.
Upon being notified by TechCrunch, Rapido promptly addressed the issue by setting the portal to private.
Aravind Sanka, CEO of Rapido, acknowledged the incident, explaining in an emailed statement, “As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public.” Sanka further clarified that the collected information was “non-personal in nature.”
The incident serves as a stark reminder of the critical need for robust security practices, particularly for companies managing sensitive user and driver information. While Rapido’s swift action mitigated further risk, the exposure highlights vulnerabilities that could have been exploited for large-scale scams or attacks.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
