Imagine receiving an email from DoorDash, complete with their official branding and logo, only to discover it’s a cleverly disguised phishing scam. That’s exactly what a recently uncovered vulnerability in DoorDash’s systems could have allowed anyone to do—and it’s sparked a heated debate between the researcher who found it and the company itself. But here’s where it gets controversial: while DoorDash has patched the issue, the dispute over how it was handled has left both sides trading accusations of misconduct. Let’s dive into the details.
A security researcher operating under the pseudonym doublezero7 discovered a flaw in DoorDash’s DoorDash for Business platform that allowed anyone to send fully branded, 'official' emails directly from the company’s no-reply@doordash.com address. This wasn’t just a minor oversight—it was a near-perfect phishing channel. By creating a free DoorDash for Business account, an attacker could add a fake 'Employee' with any name and email, assign them a meal-expense budget, and craft emails containing arbitrary HTML. The result? A convincing email, indistinguishable from the real thing, landing directly in a recipient’s inbox—not their spam folder.
And this is the part most people miss: The vulnerability hinged on a simple yet critical oversight in the Budget name input field. The researcher explained to BleepingComputer that this field stored raw text in the database, which was then forwarded to the email template. By using unclosed HTML tags and CSS tricks like display:none, the researcher could alter or hide entire sections of the email, replacing them with malicious content. For example, the proof-of-concept screenshot above shows a fake '$20 voucher' crafted entirely through this exploit.
What’s more, this flaw wasn’t limited to targeting DoorDash customers or merchants. Anyone could have been on the receiving end of these spoofed emails, making it a potent tool for phishing and social engineering scams. Sound familiar? It should—this vulnerability mirrors an unaddressed flaw in Uber’s email systems revealed in 2022, which allowed similar abuse.
But the real drama unfolded in the disclosure process. Frustrated by DoorDash’s slow response, the researcher published a brief report summarizing the flaw after 15 months of waiting. They claim DoorDash only patched the issue after repeated direct emails and public pressure. However, DoorDash paints a different picture, accusing the researcher of demanding a substantial payment tied to disclosure timelines—a move the company deemed extortionate and outside the bounds of ethical bug bounty research.
Here’s where opinions start to clash: The researcher argues their actions were justified given DoorDash’s alleged neglect, while the company insists the researcher crossed ethical lines. DoorDash banned the researcher from their bug bounty program, labeling the issue 'out of scope.' The researcher, in turn, sees this as retaliation for exposing the company’s 16-month failure to address the flaw.
So, who’s in the right? Was the researcher’s ultimatum a necessary nudge or an unethical demand? And did DoorDash handle the situation fairly, or did they prioritize damage control over collaboration? These questions don’t have easy answers, but they highlight the delicate balance between security research and corporate responsibility.
One thing’s for sure: this case serves as a cautionary tale about the challenges of vulnerability disclosure. Misaligned expectations between researchers and companies can quickly escalate into conflict, leaving both sides feeling wronged. As for the flaw itself, while it’s now patched, it raises broader questions about the security of email systems and the potential for abuse in trusted platforms.
What do you think? Did the researcher go too far, or was DoorDash at fault for their slow response? Let us know in the comments—this is one debate that’s far from over.
