DoorDash's Email Spoofing Vulnerability: A Messy Disclosure Dispute
A security researcher, known only as doublezero7, discovered a vulnerability in DoorDash's systems that could allow anyone to send 'official' DoorDash-themed emails directly from the company's authorized servers, creating a near-perfect phishing channel. This flaw, found in the DoorDash for Business platform, could be exploited by threat actors to launch highly convincing phishing campaigns and social engineering scams.
The researcher reported the vulnerability to DoorDash, but a contentious dispute erupted between the two parties, with both sides accusing each other of acting improperly. The researcher claims the company ignored the issue until pressured, while the company argues that the pressure itself crossed ethical lines.
The vulnerability allowed anyone to create a free DoorDash for Business account, use backend admin dashboards to add a new 'Employee' with an arbitrary name and email address, assign them meal-expense budgets, and craft emails containing arbitrary HTML. The resulting messages, bearing DoorDash's official template, would seamlessly arrive in the recipient's mailbox, not spam.
The security researcher demonstrated the vulnerability to BleepingComputer, showing how it could be exploited by nefarious actors. They explained that the root of the issue was the Budget name input field, which was stored as raw text in the database and forwarded to email, where it would be rendered. Using unclosed tags, the researcher could have altered the entire block of text about Budget information and hidden it completely with display:none, replacing it with a crafted payload.
The researcher also noted that the vulnerability was identical to the unaddressed flaw in Uber's email systems, as revealed in 2022 by BleepingComputer. This flaw had been reported to DoorDash through the HackerOne bug bounty platform, but it was closed as 'Informative' and never escalated, leaving it exploitable for over 15 months.
The researcher, frustrated with the long disclosure, published a brief vulnerability report summarizing the flaw and their attempts to disclose it, while withholding any concrete technical details or proofs-of-concept. They claimed that the technical flaw was never complex and that the company's failure to address it was a severe neglect.
The company, however, deemed the issue out of scope and characterized the researcher's approach as extortion. A DoorDash spokesperson stated that the individual attempted to extort the company for money and was subsequently banned from their bug bounty program. The company's security team addressed the issue, and the researcher was removed from the bug bounty program.
The researcher sees the 'silent fix' and their removal as retaliatory, arguing that the company took their service for free, tried to hide their 16-month failure, and then attempted to silence them. They believe this is an unethical approach to security research.
Despite the controversy, the vulnerability did not expose DoorDash user data or provide access to internal systems. It required the recipient to be tricked into taking action, raising questions about its actual 'criticality'. The researcher's actions and the company's response illustrate how vulnerability reporting can become fraught and how misaligned expectations can lead to conflict.
The DoorDash breach disclosed in October, which exposed user information, is unrelated to this vulnerability, according to a source briefed on the matter.
