A Close Call for Rapido Users and Drivers

In a recent turn of events, Rapido, a renowned ride-hailing service in India, swiftly resolved a significant security issue that had put personal information of its users and drivers at risk. This breach, exclusively reported by TechCrunch, was identified by security researcher Renganathan P.

The Breach: What Went Wrong?

The vulnerability was traced back to a feedback form on Rapido’s website, intended for gathering insights from auto-rickshaw users and drivers. Unfortunately, this form inadvertently exposed full names, email addresses, and phone numbers. TechCrunch confirmed these details through the information shared by the researcher.

• Full names
• Email addresses
• Phone numbers

The Underlying Issue: API Exposure

According to the researcher, the root cause lay in an exposed API that was supposed to transmit feedback data to a third-party service. This oversight meant that any submissions through the feedback form were publicly accessible.

“This could have led to a big scam involving scammers or hackers,” the researcher noted, highlighting the potential for large-scale social engineering attacks.

— Renganathan P, Security Researcher

Rapido’s Response: Quick and Decisive Action

Once TechCrunch alerted Rapido about the data exposure, immediate action was taken. The exposed portal was promptly set to private, reducing further risk. Rapido’s CEO, Aravind Sanka, addressed the issue in a statement:

“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services… We have come to understand that the survey links have reached some unintended users from the public.”

— Aravind Sanka, Rapido CEO

A Lesson Learned

This incident serves as a critical reminder of the importance of robust security measures in digital platforms. While Rapido acted swiftly to mitigate potential damage, it underscores the need for continuous vigilance in protecting user data.