Lack of Feedback Validation Permits Arbitrary Driver Ratings

@bugbountywithmarco discovered a logic flaw in Bykea’s feedback system that allowed authenticated passengers to submit feedback for drivers they had not actually ridden with. By linking their own valid trip ID to any driver ID, an attacker could manipulate driver ratings though this exploit was limited to trips the attacker legitimately owned, and each trip could only affect one driver rating at a time (with previous ones overwritten). Despite this limitation, the vulnerability could still be abused to unfairly inflate or deflate driver scores, undermining the reliability of the platform’s reputation system.