Rapido, an Indian ride-hailing platform, recently resolved a vulnerability that exposed sensitive personal information of users and drivers. The flaw was linked to a feedback web form that provided access to full names, email addresses, and phone numbers.
The vulnerability stemmed from one of Rapido’s APIs, which transmitted data from the feedback form to a third-party service. Journalists from TechCrunch verified the leak by submitting a message through the form, which subsequently appeared on a publicly accessible portal.
At the time of discovery, the portal contained over 1,800 records, including driver phone numbers and certain email addresses. Researchers cautioned that such a data leak could lead to fraudulent calls, social engineering attacks, or the sale of information on the dark web.
Following notification from TechCrunch, Rapido promptly restricted public access to the portal. Aravind Sanka, CEO of Rapido, stated that phone numbers and email addresses were not linked to users’ full names, thereby mitigating the potential risk. The situation has since been brought under control.
