Imagine receiving an email from DoorDash, complete with their official branding and logo, only to discover it’s a cleverly disguised phishing attempt. This is exactly what a recently uncovered vulnerability in DoorDash’s systems could have allowed—and it’s sparked a heated debate between the researcher who found it and the company itself. Here’s the full story, and it’s a doozy.
A security researcher operating under the pseudonym doublezero7 discovered a flaw in DoorDash’s DoorDash for Business platform that could let anyone send fully branded, 'official' emails directly from the company’s no-reply@doordash.com address. But here’s where it gets controversial: While DoorDash has since patched the issue, the researcher and the company are locked in a messy dispute over how the vulnerability was handled—and whether the researcher’s actions crossed ethical lines.
How the Vulnerability Worked
The flaw was surprisingly simple yet highly effective. By creating a free DoorDash for Business account, anyone could use the backend admin dashboards to add a new 'Employee' with any name and email address. They could then assign meal-expense budgets and craft emails containing arbitrary HTML. The result? A message that looked identical to an official DoorDash email, landing seamlessly in a recipient’s inbox—not the spam folder. And this is the part most people miss: The emails weren’t limited to DoorDash customers or merchants; virtually anyone could be targeted with these convincing phishing attempts.
The researcher explained to BleepingComputer that the root of the issue was the Budget name input field. This field stored raw text in the database, which was then forwarded to the email and rendered as part of the message. By using unclosed HTML tags and CSS tricks like display:none, the researcher could alter or hide entire sections of the email and replace them with malicious content. For example, the researcher demonstrated a proof-of-concept exploit featuring a 'Claim Free $20 Voucher' button—a classic phishing tactic.
The Disclosure Dispute
The researcher first reported the vulnerability through HackerOne’s bug bounty program in July 2023. However, the report was closed as 'Informative' and, according to the researcher, was never properly escalated. Frustrated by the lack of action, the researcher published a brief vulnerability report in October 2023, summarizing the flaw without revealing technical details. It wasn’t until November 2023—after the researcher directly emailed DoorDash repeatedly—that the company finally patched the issue.
Here’s where opinions start to clash: The researcher claims DoorDash ignored the vulnerability for over 15 months and only acted after public pressure. DoorDash, however, accuses the researcher of demanding a substantial payment tied to disclosure timelines—a move the company views as extortion. The researcher admits to using a 'less ethical' approach, including offering a compensated NDA in exchange for silence, but argues that DoorDash’s handling of the situation was equally unethical.
DoorDash has since banned the researcher from its bug bounty program, calling the issue 'out of scope.' A spokesperson told BleepingComputer: 'This individual attempted to extort DoorDash for money. The issue reported fell outside the scope of our bug bounty program, but our security team has taken action to address it.' Meanwhile, HackerOne confirmed that appropriate actions were taken consistent with its Code of Conduct, though it didn’t comment on why the initial report was closed as 'Informative.'
The Bigger Picture
This case highlights the delicate balance between ethical vulnerability disclosure and corporate responsibility. While the flaw didn’t expose user data or internal systems, it posed a significant phishing risk—a risk that went unaddressed for over a year. Here’s a thought-provoking question for you: Should researchers be compensated for their work, even if their methods are questionable? Or does demanding payment for vulnerability disclosure cross a line into extortion?
The researcher, reflecting on the situation, admitted uncertainty about their actions but stood by the outcome: 'Ultimately, they patched the flaw, so at least I accomplished that.' This story serves as a reminder of how misaligned expectations between researchers and companies can lead to conflict—and how transparency and communication are key to resolving such disputes.
What do you think? Did the researcher go too far, or was DoorDash negligent in addressing the vulnerability? Let us know in the comments!
