Rapido has announced that it has resolved a bug in its feedback form that had exposed sensitive data, including the names and phone numbers of thousands of users and drivers who were registered on the platform.
A significant bug in Rapido, an Indian bike-taxi aggregator app has exposed sensitive personal data of thousands of users and drivers across the country. The leaked information included full names, phone numbers, and email addresses, which has raised serious privacy and security concerns.
The Rapido data breach highlights the critical importance of robust data security practices for companies handling user information. While the company has addressed the issue, the incident highlights the growing risks of data leaks in India’s rapidly expanding digital economy.
Bug found in feedback form API
The vulnerability was discovered by Indian security researcher Renganathan P, who identified a flaw in the feedback form on Rapido’s website. This form, which was used for collecting feedback from auto-rickshaw users and drivers, relied on an API that inadvertently shared sensitive details with an external third-party service.
Security risks of exposed data
The exposed data posed a significant risk, which was potentially enabling the cybercriminals to launch large-scale social engineering attacks or sell the information on the dark web.
The researcher further warned that this could lead to phishing scams or other malicious activities targeting users and drivers.
1,800 Feedback forms affected
Over 1,800 feedback forms, which contained sensitive information like phone numbers and email addresses, were accessible due to the bug. This included the contact details of drivers, compounding the security threat.
Rapido’s response
Rapido acted swiftly by setting the exposed portal to private upon learning about the breach. A company spokesperson downplayed the severity, claiming that the exposed data was “non-personal” and attributing the issue to survey links reaching unintended users.
Broader implications for data privacy
This incident follows closely on the heels of another data breach involving McDonald’s India (West and South), where a bug in its delivery system exposed customer and delivery partner data, including names, phone numbers, and email addresses. That bug, discovered in July, was fixed in late September.
