Popular Indian bike-taxi app Rapido is facing scrutiny after a data breach exposed sensitive user and driver information online. The data leak, discovered by TechCrunch, highlights potential security vulnerabilities within the app.
The leaked information
The data breach was identified by security researcher Renganathan P. The vulnerability was found in a feedback form designed for Rapido's auto-rickshaw users and drivers. This form exposed sensitive information, including full names, email addresses, and phone numbers of individuals. TechCrunch has confirmed the authenticity of this leaked data based on the details shared by the researcher.
The researcher informed TechCrunch that the exposed data originated from one of Rapido's APIs. This API was designed to collect feedback from the form and transmit it to a third-party service used by the company. TechCrunch independently verified the vulnerability by submitting a test message through the feedback form. The message quickly appeared as a record in the exposed portal, confirming the breach.
“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” the researcher told TechCrunch.
What the company said
Following TechCrunch's notification of the data breach, Rapido promptly took action to secure the exposed portal by setting it to private. “As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” Rapido CEO Aravind Sanka said in a statement emailed to TechCrunch.
Tired of too many ads?