India’s Rapido has exposed user and driver data through a leaked website form for feedback

Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information associated with its users and drivers, TechCrunch has learned exclusively.

The flaw, discovered by security researcher Renganathan P, was related to a website form designed to collect feedback from Rapido auto-rickshaw users and drivers. The form revealed the full names, email addresses, and phone numbers of the individuals, which TechCrunch saw based on information provided by the researcher.

A researcher told TechCrunch that the exposed data pertains to one of Rapido’s APIs, which was intended to collect and share information from form feedback with a third-party service that Rapido uses.

TechCrunch confirmed the exposure by sending a general message through a feedback form, which we saw appear shortly after as a record on the featured portal.

As of Thursday, the exposed site had more than 1,800 responses, including a large number of drivers’ phone numbers and a small number of email addresses, the researcher said.

“This could have led to a huge scam involving fraudsters or hackers, who could have ended up calling drivers and doing a massive social engineering attack, or these phone numbers and other information could have been exposed on the dark web if accessed. wrong hands,” the researcher told TechCrunch.

Shortly after TechCrunch contacted Rapido about the data leak, Rapido made the exposed site private.

“As a standard operating procedure, we are in the process of soliciting critical feedback from the stakeholder community about our services. Although this is controlled by external parties, we have come to understand that survey links have reached unintended users from the public,” said Rapido CEO Aravind Sanka in a statement emailed to TechCrunch. Sanka noted that the collected phone numbers and email addresses are “not personal in nature.”