Rapido, a leading ride-hailing service in India, has recently remedied a security flaw in its feedback collection system that led to the unintended exposure of personal information for both users and drivers. This vulnerability was identified by cybersecurity researcher Renganathan P, who reported that an API associated with the feedback form had mistakenly made full names, email addresses, and phone numbers accessible online.
Details of the Incident
The compromised data included information gathered via an API intended for sending feedback to a third-party service, which was accessible through a public portal. Verification checks established that submitting a response through the form caused it to appear in that exposed portal. The issue appeared to arise from inadequate controls surrounding the feedback form, allowing unauthorized access to sensitive user data. By the time the breach was detected, more than 1,800 feedback entries had been exposed, revealing a significant number of driver phone numbers and a selection of email addresses. This incident raised alarms regarding potential phishing scams or social engineering tactics directed at affected individuals.
Risks and Implications
Experts in cybersecurity regard this breach as a severe risk, as the exposed data could be leveraged for various malicious activities, including phishing scams and identity theft. The researcher emphasized the significant threats posed by this data exposure, with the possibility of extensive social engineering schemes targeting drivers, and the risk of the compromised information being sold on the dark web.
Response from Rapido
In reaction to the breach, Rapido has restricted access to the portal by setting it to private. CEO Aravind Sanka acknowledged the oversight, explaining that the survey links had inadvertently been disseminated to unintended recipients. This incident highlights the critical need for robust data security protocols, especially when handling user feedback and incorporating external services. Organizations are strongly encouraged to conduct regular audits of their APIs and feedback systems to mitigate the risk of unauthorized data exposure.
Rapido has recognized the vulnerability and assured users that rectifying the issue is a high priority. The company is actively collaborating with cybersecurity professionals to bolster its systems and prevent similar breaches in the future.
