Dubai’s largest taxi app exposes 220K+ users

The Dubai Taxi Company (DTC) app, which provides taxi, limousine, and other transport services, left a database open to the public, exposing sensitive customer and driver data.

DTC, a subsidiary of Dubai’s Roads and Transport Authority, leaked a trove of sensitive information from the DTC app, the Cybernews research team has found. Over 197K app users and nearly 23K drivers were exposed.

According to the team, the exposed data was stored in an open MongoDB database, which has since been closed. Businesses employ MongoDB to organize and store large swaths of document-oriented information. DTC app has over 100,000 downloads on the Google Play store.

We have reached out to DTC for comment but have yet to receive a reply before publishing this article.

What kind of data did the DTC app leak?

Our researchers believe that the leaked database was likely a production database used for development purposes, as it included customer data, logs, drivers’ personal identifiable information (PII), registration and bank details, as well as passenger order details. The data covered a period from 2018 to 2021.

The exposed DTC app user data include email address, phone number, phone model, and the apps’ tokens for email, login, session, and signup. Tokens usually serve as digital keys to user accounts. In theory, exposing tokens could lead to unauthorized account access.

DTC data sample
Sample of the leaked data.

In addition to nearly 200K exposed customers, the DTC app’s open database also leaked information on 22,952 drivers. The volume of exposed data about the DTC drivers is impressive, as the database includes:

  • Driving license number
  • Work permit number
  • Nationality
  • Username
  • Encrypted password
  • Phone number

According to the team, the MongoDB instance contained conversations with support totaling over 17K records, as well as complaints from customers.

The online driver app logs contained a staggering one terabyte of data, including location details, IPs, whether a driver used a VPN service, and even the device battery status.

“This comprehensive dataset could enable threat actors to engage in various malicious activities, ranging from targeted phishing attacks and identity theft to exploiting the travel patterns of individuals for criminal purposes,” the Cybernews research team said.

“This leak only emphasizes the critical need for swift and effective measures to mitigate potential harms and secure the compromised information.”

DTC claims that it controls 44% of the Dubai market share by the size of its taxi fleet, making it the largest service provider in the most populous city of the United Arab Emirates. DTC says it operates over 7,000 vehicles and has an active workforce of 14,000 driver partners.

More from Cybernews:

Female VCs face major disadvantage: the reality of gender washing in venture capital

Schadenfreude galore: in Naomi Alderman’s “The Future,” the wealthy suck

Europol eyes Bluetooth trackers as a popular tool for crime

Chatbot wars: Elon Musk’s Grok AI caught copying ChatGPT

Ransomware gang hits hospitals in Kentucky and Indiana, millions affected

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked