Rapido, a popular ride-hailing platform in India, recently fixed a significant security flaw that exposed sensitive personal information from users and drivers. The vulnerability, discovered by security researcher Renganathan P, was tied to a website feedback form designed to gather opinions from Rapido’s auto-rickshaw drivers and customers. The flaw was linked to an API that inadvertently shared sensitive data, including full names, phone numbers, and email addresses, with third-party services.
The researcher confirmed that the exposed portal contained over 1,800 feedback responses, many of which included phone numbers of drivers. Some email addresses were also exposed, although to a lesser extent. TechCrunch, which verified the issue, noted that the data could have led to potential social engineering attacks or been sold on the dark web if it fell into the wrong hands. The flaw presented significant risks for users and drivers, as attackers could have exploited the data for scams or phishing attempts.
Upon being notified by TechCrunch, Rapido quickly acted to secure the exposed data. The company set the portal to private and issued a statement acknowledging the issue. Rapido’s CEO, Aravind Sanka, explained that the feedback form was intended for gathering opinions from users, but the survey links had unintentionally reached the public. He reassured users that the collected data, which included phone numbers and email addresses, was “non-personal in nature.”
While Rapido has taken steps to address the breach, the incident underscores the importance of securing data collected through online forms, particularly in the ride-hailing industry, where sensitive personal information is often shared. The company’s quick response highlights the growing importance of cybersecurity in the tech industry, but it also serves as a reminder of the potential consequences when data security practices are not robust enough to protect user information.
Reference:
