Rapido, one of India’s leading ride-hailing services, recently addressed a significant security lapse that exposed personal information belonging to about 1,800 users and drivers. The issue, first brought to light by cybersecurity researcher Ranganathan P, was linked to a feedback form hosted on Rapido’s platform that inadvertently revealed sensitive data, including full names, email addresses, and phone numbers.
The vulnerability was traced to an API facilitating data sharing between Rapido’s feedback form and a third-party service. The form was designed to collect feedback from users and drives of the auto-rickshaw service but unintentionally left the submitted information accessible on an open portal.
This misconfiguration potentially exposed over 1,800 responses, comprising a substantial number of driver phone numbers and a smaller set of email addresses, according to Renganathan.
The exposed data posed serious risks, including the possibility of large-scale social engineering attacks.
“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” Renganathan told TechCrunch.
Scammers or hackers could have exploited the data to impersonate Rapido representatives and deceive drivers or users.
Upon being informed of the issue, Rapido promptly restricted access to the portal, rendering it private. Aravind Sanka, CEO of Rapido, acknowledged the incident and stated that external vendors manage the feedback process. He attributed the exposure to survey links to unintentionally reaching unintended users.
“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” Aravind said.
This incident highlights the pressing need for robust data security practices, especially for platforms handling sensitive user and operational data.
In the News: API flaws in McDelivery system expose users’ sensitive data