Rapido Leaks Info Of Users, Drivers Due To Security Flaw

SUMMARY

The personal data was exposed due to a flaw with a website form which collected feedback from Rapido rickshaw users and drivers

The issue was discovered by security researcher and ethical hacker Renganathan P

As of December 19, the open portal had more than 1,800 feedback responses which consisted of phone number and also email addresses

Ride hailing unicorn Rapido reportedly leaked the personal information of its users and drivers due to a security issue with a feedback form.

The personal data was exposed due to a flaw with a website form which collected feedback from Rapido rickshaw users and drivers. The issue was discovered by security researcher and ethical hacker Renganathan P, TechCrunch reported.

Rapido collected the user data via a third-party feedback form, which exposed the full names, email addresses, and phone numbers, as per the report.

Renganathan told Inc42, “There was a form which was not hosted on the primary domain, which is rapido.bike, but on another domain which seems to be owned by Rapido. (It) contained the feedback form which disclosed names, phone numbers, few email IDs, and feedback messages, majority of which belong to auto drivers and a few customers.”

As of Thursday (December 19), the open portal had more than 1,800 feedback responses which consisted of phone numbers of rickshaw drivers and a comparatively fewer email addresses.

Renganathan said that when companies outsource work to external agencies, they need to pay extra attention to “secure coding and additional access control security”. He said that performing security assessment or hosting bug bounty programmes are suggested options.

“India has (a) lot of security professionals, I request startups to make use of such cyber experts…” he added.

A mail sent to Rapido seeking details about the development didn’t elicit any response till the time of publishing this story. However, the TechCrunch report said that Rapido fixed the issue by changing the portal settings to private after it was contacted by the publication.

“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” Rapido cofounder and CEO told the publication in a statement.

Founded in 2015 by Rishikesh SR, Pavan Guntupalli, and Aravind Sanka, Rapido primarily operates in the bike taxi and auto transportation segments. It also entered the cab services segment recently.

The startup trimmed its loss by more than 45% to INR 370 Cr in the financial year 2023-24 (FY24) from INR 675 Cr in the previous year. Revenue zoomed 1.5X to INR 648.1 Cr from INR 443 Cr in FY23.

The development comes at a time when a number of Indian startups and companies have been hit by data security troubles in recent times. Fintech SaaS startup Signzy was hit by a cyberattack in late November.

Prior to that, health insurer Star Health was caught in a data breach and the data of its customers was allegedly put up for sale on instant messaging app Telegram. The company said that the hacker, who leaked the personal data of its 3 Cr customers, demanded a ransom of $68,000 (INR 57 Lakh).

In September, payments and commerce platform DotPe also leaked data of its customers due to a “human error”.

Note: The copy has been edited to add Renganathan’s comment.