A shocking revelation has emerged, highlighting a critical vulnerability in DoorDash's systems. This flaw allowed anyone to send seemingly official DoorDash-themed emails, creating a perfect storm for phishing attacks. While the issue has now been patched, a heated dispute has erupted between the researcher who uncovered the vulnerability and DoorDash, with both sides trading accusations of misconduct.
The vulnerability, discovered by a security researcher known as doublezero7, was a simple yet powerful flaw in the DoorDash for Business platform. It enabled anyone to send fully branded emails directly from the company's authorized servers, with the potential to launch highly convincing phishing campaigns and social engineering scams.
Imagine this: anyone could create a free DoorDash for Business account, access the backend admin dashboards, add a new 'Employee' with an arbitrary name and email address, assign them meal-expense budgets, and craft emails containing custom HTML. The resulting message, appearing as an official DoorDash email, would seamlessly land in the recipient's inbox, bypassing spam filters.
The security researcher recently approached BleepingComputer, providing evidence of the vulnerability and demonstrating how it could be exploited. They explained that the root cause was an input field for budget names, which stored raw text in the database and forwarded it to emails, allowing for HTML injection.
"Using unclosed tags, I could alter the entire block of text about budget information and hide it completely, replacing it with a crafted payload," the researcher said.
The researcher's proof-of-concept exploit, shown in the screenshot, demonstrates how the "Claim Free 20$ Voucher" text could be injected into DoorDash emails. This vulnerability was identical to an unaddressed flaw in Uber's email systems, as revealed by BleepingComputer in 2022.
The researcher's initial report, filed through HackerOne, was closed as "Informative" on July 17, 2024, and the flaw remained unpatched for over 15 months. It wasn't until November 2024 that the issue was finally addressed, after the researcher's persistent efforts and direct emails to DoorDash.
"Without my public pressure, this vulnerability would still be active today," the researcher claimed.
However, the ethical disclosure process took a turn, and DoorDash accused the researcher of extortion, claiming the issue fell outside the scope of their bug bounty program. A spokesperson for DoorDash stated that they operate a bug bounty program to collaborate with security researchers but that this individual attempted to extort money, leading to their ban from the program.
The researcher, on the other hand, framed their report as a legitimate security finding deserving compensation. They argued that DoorDash ignored the issue until pressured and then attempted to silence them, which they believed was an unethical approach.
"My decision to disclose stems from the company's free use of my service, their attempt to hide their failure, and their subsequent attempt to silence me," the researcher said.
While the now-patched flaw didn't expose user data or provide access to internal systems, it raises important questions about vulnerability reporting and the expectations of researchers and companies. This case highlights the potential pitfalls and conflicts that can arise when there is a misalignment of goals and ethics.
As we head into 2026, it's crucial for security leaders to reflect on these incidents and benchmark their strategies to ensure a more secure digital landscape.
What are your thoughts on this controversial disclosure dispute? Do you think the researcher's actions were justified, or did they cross ethical boundaries? Join the discussion in the comments and share your insights!
