Indian company Rapido has revealed user and driver data through a leaked website feedback form

Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information associated with its users and drivers, TechCrunch has learned exclusively.

The flaw, discovered by security researcher Renganathan P, was linked to a website form aimed at collecting feedback from users and drivers of Rapido automated cars. The form revealed the full names, email addresses and phone numbers of individuals, which TechCrunch viewed based on the details provided by the researcher.

The researcher told TechCrunch that the exposed data related to one of Rapido’s APIs, which was intended to collect and share information from the feedback form with an external service used by Rapido.

TechCrunch verified the exposure by submitting a public message through the comments form, which we saw appear shortly after as a log in the exposed portal.

As of Thursday, the exposed portal had more than 1,800 responses, which included a large number of drivers’ phone numbers and a smaller number of email addresses, the researcher said.

“This could have led to a major scam involving scammers or hackers, who might have ended up contacting the drivers and carrying out a large-scale social engineering attack, or these phone numbers and other data simply could have been exposed on the dark web if accessed.” “The wrong hands,” the researcher told TechCrunch.

Shortly after TechCrunch contacted Rapido about the data spill, Rapido set the exposed portal as private.

“As a standard operating procedure, we are seeking valuable feedback from our stakeholder community on our services. While this is managed by third parties, we have recognized that “Survey links reached some unintended users in the audience.” Sanka noted that the phone numbers and email addresses collected were “non-personal in nature.”