Rapido, a popular ride-hailing platform in India, exposed a security issue that exposed personal information related to its users and drivers, TechCrunch has learned exclusively.
The flaw, discovered by security researcher Renganathan P, was linked to a website form intended to collect feedback from Rapido car users and drivers. The full name of the individual seen by TechCrunch based on the details provided by the researcher to TechCrunch on the form; Email addresses and phone numbers are listed.
Data related to one of Rapido's APIs is intended to collect and share information from a third-party service and response model used by Rapido, the researcher told TechCrunch.
TechCrunch verified the exposure by sending a general message via a feedback form that we saw shortly after it appeared as a record on the exposure portal.
until Thursday. The exposed portal had more than 1,800 responses, which included drivers with a large number of phone numbers and a small number of email addresses, the researcher said.
“This could lead to a massive scam involving fraudsters or hackers. Call drivers and perform a large-scale social engineering attack or expose these phone numbers and other data to the dark web. The hands are wrong,” the researcher told TechCrunch.
Shortly after TechCrunch contacted Rapido about the leaked data; Rapido has set the exposed portal as private.
“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community regarding our services. While this is being managed by third parties, we have come to realize that survey links are reaching some unintended public users,” Rapido CEO Aravind Sanka said in a statement emailed to TechCrunch. Sanka noted that the phone numbers and email addresses collected are “not personal.”