A vulnerability in **DoorDash’s systems** allowed threat actors to exploit an unpatched flaw in the **DoorDash for Business** platform, enabling them to send **fully branded, official-looking emails** from **[email protected]** by injecting arbitrary HTML into the 'Budget name' input field. This created a **highly convincing phishing channel**, as emails bypassed spam filters and appeared legitimate. The flaw, reported by a researcher in **July 2023**, remained unpatched for **over 15 months** due to disputes over disclosure ethics and financial demands. While no **direct data breach** or **internal system access** occurred, the vulnerability posed a **significant reputational and financial risk** by facilitating **large-scale phishing attacks** targeting customers, merchants, or arbitrary recipients. The company eventually patched the issue in **November 2024** after public pressure, but the researcher was banned from DoorDash’s bug bounty program amid accusations of extortion. The incident highlights tensions between **responsible disclosure** and **corporate response protocols** in cybersecurity.
DoorDash cybersecurity rating report: https://www.rankiteo.com/company/doordash
"id": "DOO2492524111725",
"linkid": "doordash",
"type": "Vulnerability",
"date": "7/2023",
"severity": "50",
"impact": "2",
"explanation": "Attack limited on finance or reputation:"{'affected_entities': [{'customers_affected': 'Potentially All DoorDash Users '
'+ General Public (via Spoofed '
'Emails)',
'industry': 'Technology (On-Demand Services)',
'location': 'San Francisco, California, USA',
'name': 'DoorDash',
'size': 'Large (Public Company, ~10,000+ Employees)',
'type': 'Food Delivery Platform'}],
'attack_vector': ['Improper Input Validation',
'Stored Cross-Site Scripting (XSS) in Email Templates',
'Abuse of Business Logic (Budget Name Field)'],
'data_breach': {'data_exfiltration': 'No',
'number_of_records_exposed': '0',
'personally_identifiable_information': 'None',
'sensitivity_of_data': 'None',
'type_of_data_compromised': 'None'},
'date_publicly_disclosed': '2024-11-07',
'date_resolved': '2024-11-03',
'description': "A vulnerability in DoorDash's systems allowed unauthorized "
"users to send 'official' DoorDash-themed emails directly from "
"the company's authorized servers ([email protected]). The "
'flaw, discovered by a pseudonymous researcher (doublezero7), '
'stemmed from an unvalidated input field in the DoorDash for '
'Business platform, enabling HTML injection in email '
'templates. This could be exploited to craft highly convincing '
'phishing emails, targeting not only DoorDash customers and '
'merchants but virtually any recipient. The vulnerability was '
'patched after 15+ months of disclosure disputes between the '
'researcher and DoorDash, with both parties accusing each '
'other of unethical behavior. The flaw did not expose user '
'data or grant access to internal systems but posed a '
'significant phishing risk.',
'impact': {'brand_reputation_impact': ['Negative Publicity Due to Disclosure '
'Dispute',
'Perception of Weak Security Practices',
"Comparison to Uber's 2022 Email "
'Spoofing Flaw'],
'data_compromised': 'None',
'identity_theft_risk': 'Low (Required User Interaction via '
'Phishing)',
'operational_impact': ['Risk of Phishing Attacks Targeting '
'Customers/Merchants/General Public',
'Dispute Over Vulnerability Disclosure '
'Process'],
'payment_information_risk': 'Low (Required User Interaction via '
'Phishing)',
'systems_affected': ['DoorDash for Business Platform',
'Email Servers ([email protected])']},
'initial_access_broker': {'backdoors_established': 'No',
'data_sold_on_dark_web': 'No',
'entry_point': 'DoorDash for Business Platform '
'(Budget Name Input Field)',
'high_value_targets': ['DoorDash Customers',
'Merchants',
'General Public (via Spoofed '
'Emails)'],
'reconnaissance_period': '15+ Months (From Initial '
'Report to Patch)'},
'investigation_status': 'Resolved (Vulnerability Patched, Disclosure Dispute '
'Ongoing)',
'lessons_learned': ['Importance of Timely Vulnerability Triage and Patch '
'Management',
'Need for Clear Communication Channels Between '
'Researchers and Companies',
'Risks of Misaligned Expectations in Bug Bounty Programs '
'(Scope vs. Compensation)',
'Ethical Boundaries in Vulnerability Disclosure '
'(Extortion vs. Good Faith Reporting)',
'Criticality of Input Validation in Customer-Facing '
"Systems (Even 'Non-Critical' Fields Like Budget Names)"],
'motivation': ['Potential Financial Gain (Extortion Attempt by Researcher)',
'Phishing/Scam Campaigns (Hypothetical Threat Actors)',
'Reputation Damage (Disclosure Dispute)'],
'post_incident_analysis': {'corrective_actions': ['Patched Input Validation '
'in DoorDash for Business '
'Backend',
'Enhanced Email Template '
'Security (HTML '
'Sanitization)',
'Review of Bug Bounty '
'Program Policies and Scope',
'Internal Review of '
'Vulnerability Disclosure '
'Processes'],
'root_causes': ['Lack of Input Validation in '
'Budget Name Field',
'Insufficient Output Encoding in '
'Email Templates',
'Delayed Triage of Vulnerability '
'Report (15+ Months)',
'Breakdown in Communication '
'Between Researcher and DoorDash',
'Misalignment on Bug Bounty '
'Program Scope and Compensation']},
'recommendations': ['Expand Bug Bounty Program Scope to Include Email-Related '
'Vulnerabilities',
'Implement Automated Sanitization for All User-Supplied '
'Input in Email Templates',
'Establish Escalation Protocols for Disputed '
'Vulnerability Reports',
'Provide Transparent Timelines for Vulnerability '
'Remediation',
'Conduct Regular Security Audits of Business Logic Abuse '
'Vectors',
'Train Customer Support on Phishing Risks Stemming from '
'Spoofed Emails',
'Monitor Dark Web for Exploitation of Similar '
'Vulnerabilities in Competitor Platforms'],
'references': [{'date_accessed': '2024-11-07',
'source': 'BleepingComputer',
'url': 'https://www.bleepingcomputer.com/news/security/doordash-patches-flaw-that-let-anyone-send-official-company-emails/'},
{'source': "Researcher's Public Vulnerability Report "
'(doublezero7)'},
{'date_accessed': '2024-07-17 (Closed as Informative)',
'source': 'HackerOne Report #2608277'}],
'regulatory_compliance': {'legal_actions': ['Researcher Banned from DoorDash '
'Bug Bounty Program']},
'response': {'communication_strategy': ['Public Statement to BleepingComputer',
'No Direct Customer Notification '
'Mentioned'],
'containment_measures': ['Patch Applied to Input Validation in '
'DoorDash for Business Backend',
'HTML Sanitization in Email Templates'],
'incident_response_plan_activated': 'Yes (After 15+ Months of '
'Inaction)',
'remediation_measures': ['Closed Vulnerable Budget Name Input '
'Field',
'Enhanced Email Template Rendering '
'Security'],
'third_party_assistance': ['HackerOne (Bug Bounty Platform)']},
'title': 'DoorDash Email Spoofing Vulnerability Enabling Phishing Campaigns',
'type': ['Email Spoofing', 'HTML Injection', 'Phishing Vector'],
'vulnerability_exploited': ['Stored HTML Injection via Budget Name Input '
'Field',
'Lack of Output Encoding in Email Templates',
'Insufficient Email Client-Side Sanitization']}