- Indian ride-sharing company Rapido was found leaking driver and customer data
- The flaw stemmed from a faulty API
- The company was leaking names, emails, and phone numbers
A major Indian ride-hailing platform was exposing sensitive user data thanks to a bug in one of its APIs.
The flaw in Rapido’s systems was discovered by security researcher Renganathan P, who claimed it stemmed from a website form designed to collect feedback from auto-rickshaw users and drivers. Auto-rickshaw is a three-wheeled vehicle, popular across India and many Asian countries.
Users that provided the feedback have had their sensitive information exposed to the public, including full names, email addresses, and phone numbers.
Rapido exposure
The database has been seen by TechCrunch, which confirmed its authenticity. The data was supposed to be shared with a third-party service, used by Rapido, only, but the publication says the database counts more than 1,800 feedback responses, with a “large number” of driver phone numbers, and a “lesser number” of email addresses.
“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” Renganathan P said.
The publication subsequently reached out to Rapido, who locked down the database and prevented more unauthorized access. We don’t know if any malicious actors found this database in the past, or if the data was abused in the wild. Phone numbers and email addresses are vital in running phishing and identity theft scams.
“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” Rapido CEO Aravind Sanka said in a statement.
Sanka added that the collected phone numbers and email addresses were “non-personal in nature.”