Rapido, a popular ride-hailing platform in India, has fixed a security issue that exposed personal information associated with its users and drivers, TechCrunch has exclusively learned. The flaw, discovered by security researcher Renganathan P, was related to a website form meant to collect feedback from Rapido auto-rickshaw users and drivers.

The exposed data included full names, email addresses, and phone numbers of individuals, which TechCrunch has seen based on the details provided by the researcher. The researcher told TechCrunch that the exposed data pertained to one of Rapido's APIs, which was meant to collect and share information from the feedback form with a third-party service used by Rapido.

TechCrunch verified the exposure by submitting a generic message through the feedback form, which we saw appear soon after as a record in the exposed portal. As of Thursday, the exposed portal had over 1,800 feedback responses, which included a large number of phone numbers belonging to drivers and a lesser number of email addresses, the researcher said.

The security researcher warned that the exposed data could have led to a large-scale social engineering attack or been sold on the dark web if it fell into the wrong hands. "This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands," the researcher told TechCrunch.

Soon after TechCrunch contacted Rapido about the spilling data, Rapido set the exposed portal to private. In a statement emailed to TechCrunch, Rapido CEO Aravind Sanka said, "As a standard operating procedure, we are in the process of soliciting valuable feedback from our stakeholder community on our services. While this is being managed by external parties, we have come to understand that the survey links have reached some unintended users from the public."

Notably, Sanka remarked that the collected phone numbers and email addresses were "non-personal in nature." However, this assertion raises concerns about the company's understanding of data privacy and security. The exposure of personal information, regardless of its perceived "non-personal" nature, can still have significant consequences for individuals, including potential harassment, phishing attacks, or identity theft.

The incident highlights the importance of robust security measures and responsible data handling practices, particularly in the ride-hailing industry, where users entrust companies with sensitive personal information. It also underscores the need for companies to prioritize transparency and accountability in their data collection and storage practices.

In the wake of this security flaw, Rapido users and drivers are advised to remain vigilant and monitor their personal information for any signs of suspicious activity. Meanwhile, the company must take concrete steps to ensure that such incidents do not recur in the future, including conducting thorough security audits and implementing more robust data protection measures.

The Rapido security flaw serves as a stark reminder of the ongoing struggle to balance innovation with security and privacy in the tech industry. As companies continue to collect and process vast amounts of user data, it is essential that they prioritize the protection of that data and maintain transparency in their practices to build and maintain user trust.