Rapido’s Vulnerable Feedback Form Exposes User Data

Rapido released a feedback form to its auto-rickshaw users and drivers, which exposed their personal information due to inadequate security measures.

Rapido, a rapidly growing ride-hailing service in India, is facing backlash due to its recent feedback survey activity. The platform shared a feedback form with its auto-rickshaw drivers and users to gain insights on improving experience and eliminating errors. Instead of working for the company, it backfired as the data got exposed to third-party platforms.

The flaw was discovered by a security researcher named Ranganathan P. The leaked data included personal information of users and drivers, including full names, phone numbers, and email addresses of individuals who interacted with the feedback forms. 

Rapido used a third-party service to conduct the survey and integrated an in-house API to capture data on its internal servers. The main cause of the leak is Rapido’s API, as confirmed by the researcher who submitted generic information in the form and saw the same data being reflected on the website displaying exposed user information.

“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” said the researcher to the media house.

As of yesterday, the portal containing information about users and drivers was exposed to over 1,800 feedback responses. This data included a large pool of phone numbers of drivers while the number of email addresses was significantly lesser.

Rapido’s CEO, Arvind Sanka, responded to the media house’s queries regarding the incident, claiming that the phone numbers and email addresses were not personal in nature and were being used as professional contact details.

“As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public,” said Sanka in an email response sent to the media house.

This incident is a strong use case of the importance of security best practices at all levels, from app development to marketing initiatives, as any inadequacy can create a backdoor for threat actors to misuse critical user information. Tech-first companies must implement top security measures to ensure that their positive intent activities do not result in a negative impact.