Rapido Ride-Hailing Platform Leaks User and Driver Data via Website Flaw

• India’s leading ride-hailing platform, Rapido, exposed users and drivers personal information such as names, emails, and phone numbers.
• At fault was a faulty feedback form addressed to the service’s users and workers.
• The submitted details ended up on an open portal with other feedback responses, exceeding 1,800 reports.

Rapido, a leading ride-hailing platform in India, has resolved a security flaw that exposed its users' and drivers' sensitive personal data due to a website feedback form designed to collect input from Rapido’s auto-rickshaw users and drivers.

However, the form inadvertently leaked critical data such as full names, email addresses, and phone numbers of the individuals. 

The issue, first identified and reported by security researcher Renganathan P, was revealed to TechCrunch, which confirmed the exposure after independently submitting a generic test message through the form and observing it appear on an open portal containing other feedback records.

The vulnerability was traced to one of Rapido's APIs that facilitated the form data transfer to a third-party service. The security researcher reported that the exposed portal contained more than 1,800 feedback responses, including a significant number of phone numbers belonging to drivers and a smaller proportion of email addresses.

According to the researcher, this data exposure could have posed serious risks, such as enabling large-scale social engineering scams targeting drivers or facilitating the sale of this information on the dark web.

Upon being alerted about the vulnerability, Rapido promptly made the exposed portal private. Shortly thereafter, Rapido's CEO, Aravind Sanka, issued a statement addressing the incident, mentioning that the phone numbers and email addresses collected were “non-personal in nature.”

Rapido has not disclosed whether the incident will be reported to local data protection authorities or if affected users and drivers will be informed directly.

This month, GPS tracking company Hapn, formerly known as Spytec, has been found to have inadvertently exposed the identities of thousands of its customers due to a website vulnerability.