Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information associated with its users and drivers, TechCrunch has exclusively learned.
The flaw, discovered by security researcher Renganathan P, was linked to a website form intended to collect feedback from Rapido auto-rickshaw users and drivers. The form exposed the people's full names, email addresses and phone numbers, which TechCrunch saw based on details provided by the researcher.
The researcher told TechCrunch that the exposed data related to one of Rapido's APIs, intended to collect and share feedback form information with a third-party service used by Rapido.
TechCrunch verified the exposure by submitting a generic message via the comments form, which we saw appear shortly after as a recording on the exposed portal.
As of Thursday, the exposed portal had received more than 1,800 responses, including a large number of phone numbers belonging to drivers and a smaller number of email addresses, the researcher said.
“This could have led to a large scam involving scammers or hackers, who could have ended up calling drivers and launching a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if they had been reached in the wrong hands,” the researcher told TechCrunch.
Shortly after TechCrunch contacted Rapido about the leaked data, Rapido set the exposed portal to private.
“As standard operating procedure, we are soliciting valuable feedback from our stakeholder community on our services. While this is managed by external parties, we understand that the survey links reached some unintended users in the public,” Aravind Sanka, CEO of Rapido, said in an emailed statement to TechCrunch. Sanka noted that the phone numbers and email addresses collected were “non-personal in nature.”
#Indias #Rapido #exposed #user #driver #data #leaky #website #feedback #form