India’s ride-hailing platform Rapido recently patched a security vulnerability that exposed sensitive information of its users and drivers. Security researcher Renganathan P discovered the issue, which involved a website feedback form intended for collecting feedback from Rapido’s auto-rickshaw services. This flaw inadvertently exposed personal details like full names, email addresses, and phone numbers. The findings were verified by TechCrunch, which confirmed that messages submitted via the form appeared in an exposed portal.
The root of the issue lay in one of Rapido’s APIs, designed to process feedback data and forward it to a third-party service. According to the researcher, the exposed portal contained over 1,800 responses, including numerous driver phone numbers and fewer email addresses. While the platform promptly secured the portal upon being alerted, the exposure could have led to significant risks, including social engineering attacks or misuse of the data on illicit platforms like the dark web.
In response to the incident, Rapido CEO Aravind Sanka issued a statement noting that the exposed data was “non-personal in nature.” Sanka clarified that the feedback collection process involved external parties and that some unintended users accessed the survey links. The company has since taken measures to prevent similar occurrences.
The security lapse highlights the importance of robust data protection measures in platforms handling sensitive user information, especially in the rapidly expanding tech-driven service sector.
