- Indian ride-sharing company Rapido found to be leaking driver and customer data
- The failure was due to a faulty API
- The company was leaking names, emails and phone numbers.
A major Indian ride-hailing platform was exposing sensitive user data thanks to a bug in one of its APIs.
The flaw in Rapido’s systems was discovered by security researcher Renganathan P, who claimed that it arose from a website form designed to collect feedback from users and auto-rickshaw drivers. The auto-rickshaw is a three-wheeled vehicle, popular in India and many Asian countries.
Users who provided feedback had their sensitive information exposed to the public, including full names, email addresses, and phone numbers.
quick exposure
The database has been viewed by TechCrunchwhich confirmed its authenticity. The data was supposed to be shared with a third-party service, used only by Rapido, but the post says the database has more than 1,800 comment responses, with a “large number” of drivers’ phone numbers and a “smaller number.” of email addresses.
“This could have led to a huge scam involving scammers or hackers, who could have ended up calling drivers and conducting a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed. on the dark web if they had gotten into the wrong hands,” said Renganathan P.
The publication subsequently contacted Rapido, who locked the database and prevented further unauthorized access. We don’t know if any malicious actors found this database in the past or if the data was abused in the wild. Phone numbers and email addresses are vital for phishing and identity theft scams.
“As standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is managed by external parties, we have come to understand that the survey links have reached some unwanted users in the public,” Aravind Sanka, CEO of Rapido, said in a statement.
Sanka added that the phone numbers and email addresses collected were “non-personal in nature.”
