Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information related to users and drivers, TechCrunch has learned exclusively.
The flaw, discovered by security researcher Renganathan P, was related to a form on a website aimed at collecting feedback from Rapido autorickshaw users and drivers. The form exposed an individual's full name, email address, and phone number, which TechCrunch confirmed based on details provided by the researcher.
Researchers told TechCrunch that the leaked data pertained to one of Rapido's APIs and was intended to collect information from feedback forms and share it with third-party services used by Rapido.
TechCrunch confirmed the exposure by sending a public message through a feedback form. Immediately thereafter, the message was found to appear as a record on the exposed portal.
As of Thursday, the published portal had more than 1,800 feedback responses, including many phone numbers and a small number of email addresses belonging to drivers, researchers said.
“This could have led to a large-scale scam involving fraudsters and hackers who ended up calling drivers and carrying out large-scale social engineering attacks. Or simply these If your phone number or other data was accessed on the dark web, it could have been published in the wrong hands,'' researchers told TechCrunch.
Shortly after TechCrunch contacted Rapido about the data breach, Rapido set its public portal to private.
“As a standard operating procedure, we are seeking valuable feedback from our stakeholder community about our services. Although this is managed by external parties, the survey link may be of interest to some members of the public. “We understand that we are reaching users who don't want to use our services,” Rapido CEO Aravind Sanka said in an emailed statement to TechCrunch. Sanka said the phone numbers and email addresses collected are “not personal in nature.”