Rapido, a preferred ride-hailing platform in India, has mounted a safety subject that uncovered private info related to its customers and drivers, TechCrunch has completely discovered.
The flaw, found by safety researcher Renganathan P, was associated to a web site kind meant to gather suggestions from Rapido auto-rickshaw customers and drivers. The shape uncovered the total names, e mail addresses, and telephone numbers of people, which TechCrunch has seen based mostly on the main points supplied by the researcher.
The researcher informed TechCrunch that the uncovered information pertained to considered one of Rapido’s APIs, which was meant to gather and share info from the suggestions kind with a third-party service utilized by Rapido.
TechCrunch verified the publicity by submitting a generic message by way of the suggestions kind, which we noticed seem quickly after as a document within the uncovered portal.
As of Thursday, the uncovered portal had over 1,800 suggestions responses, which included numerous telephone numbers belonging to drivers and a lesser variety of e mail addresses, the researcher stated.
“This might have led to a giant rip-off involving scammers or hackers, who could have ended up calling drivers and performing a large-scale social engineering assault, or just these telephone numbers and different information may have been uncovered on the darkish internet if reached within the improper arms,” the researcher informed TechCrunch.
Quickly after TechCrunch contacted Rapido in regards to the spilling information, Rapido set the uncovered portal to non-public.
“As an ordinary working process, we’re within the technique of soliciting precious suggestions from our stakeholder neighborhood on our providers. Whereas that is being managed by exterior events, we’ve come to know that the survey hyperlinks have reached some unintended customers from the general public,” Rapido CEO Aravind Sanka stated in a press release emailed to TechCrunch. Sanka remarked that the collected telephone numbers and e mail addresses had been “non-personal in nature.”
