Dubai’s largest taxi app exposes 220K+ users

Dubai’s largest taxi app exposes 220K+ users

Pierluigi Paganini
December 12, 2023

The Dubai Taxi Company (DTC) app, which provides taxi, limousine, and other transport services, left a database open to the public, exposing sensitive customer and driver data.

Dubai Taxi Company, a subsidiary of Dubai’s Roads and Transport Authority, leaked a trove of sensitive information from the DTC app, the Cybernews research team has found. Over 197K app users and nearly 23K drivers were exposed.

DTC claims that it controls 44% of the Dubai market share by the size of its taxi fleet, making it the largest service provider in the most populous city of the United Arab Emirates. DTC says it operates over 7,000 vehicles and has an active workforce of 14,000 driver partners

According to the CyberNews team, the exposed data was stored in an open MongoDB database, which has since been closed. Businesses employ MongoDB to organize and store large swaths of document-oriented information. DTC app has over 100,000 downloads on the Google Play store.

We have reached out to DTC for comment but have yet to receive a reply before publishing this article.

What kind of data did the DTC app leak?

Our researchers believe that the leaked database was likely a production database used for development purposes, as it included customer data, logs, drivers’ personal identifiable information (PII), registration and bank details, as well as passenger order details. The data covered a period from 2018 to 2021.

The exposed DTC app user data include email address, phone number, phone model, and the apps’ tokens for email, login, session, and signup. Tokens usually serve as digital keys to user accounts. In theory, exposing tokens could lead to unauthorized account access.

Dubai Taxi Company

In addition to nearly 200K exposed customers, the DTC app’s open database also leaked information on 22,952 drivers. The volume of exposed data about the DTC drivers is impressive, as the database includes:

  • Driving license number
  • Work permit number
  • Nationality
  • Username
  • Encrypted password
  • Phone number

According to the team, the MongoDB instance contained conversations with support totaling over 17K records, as well as complaints from customers.

The online driver app logs contained a staggering one terabyte of data, including location details, IPs, whether a driver used a VPN service, and even the device battery status.

Do you want to know which are the risks for impacted individuals? Take a look at the original post published by CyberNews:

About the author: Vilius Petkauskas, Deputy Editor at CyberNews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Dubai Taxi Company)