Full Report
A vulnerability in DoorDash's systems could allow anyone to send "official" DoorDash-themed emails right from company's authorized servers, paving a near-perfect phishing channel. DoorDash has now patched the issue, but a contentious disclosure dispute has erupted, with both sides accusing each other of acting in bad faith. [...]
Analysis Summary
# Incident Report: DoorDash Email Spoofing Vulnerability (Stored XSS via Business Platform)
## Executive Summary
A security vulnerability existed in the DoorDash for Business platform that allowed unauthenticated users create "official", fully branded emails impersonating DoorDash and sent from legitimate company servers ($\text{[email protected]}$). The flaw, rooted in unsanitized input rendering, created a nearly perfect phishing channel. The vulnerability was patched after protracted disclosure disputes between the researcher and DoorDash, resulting in the researcher being removed from the bug bounty program.
## Incident Details
- Discovery Date: Prior to July 17, 2024 (HackerOne report filed, closed as "Informative" on July 17, 2024)
- Incident Date: Flaw was exploitable for over 15 months, patched the week of November 3, 2025.
- Affected Organization: DoorDash
- Sector: Food Delivery / Technology
- Geography: Global (Affected platform used by anyone globally)
## Timeline of Events
### Initial Access
- Date/Time: Unknown, but exploitable since at least July 17, 2024.
- Vector: Flaw in the DoorDash for Business platform's 'Budget name input field'.
- Details: An attacker could create a free DoorDash for Business account, add an 'Employee,' and craft emails containing arbitrary HTML payload within the budget name field. This input was stored as raw text and rendered directly in the official email template.
### Lateral Movement
- N/A. The incident involved direct external communication vector exploitation, not internal network compromise.
### Data Exfiltration/Impact
- No direct user data exfiltration or internal system access was reported due to the vulnerability itself. The impact was the creation of a highly convincing phishing vector targeting nearly any recipient.
### Detection & Response
- Detection: Reported by security researcher $\text{doublezero7}$ via HackerOne (Report \#2608277).
- Response Actions: DoorDash initially closed the report as "Informative" on July 17, 2024. The researcher escalated the issue publicly and directly via email to DoorDash around the week of November 3, 2025, leading to a patch.
## Attack Methodology
- Initial Access: Gaining access to the DoorDash for Business backend dashboard (by creating a free account).
- Persistence: Not applicable.
- Privilege Escalation: Not applicable.
- Defense Evasion: The payload bypassed standard email client security layers because the email originated from DoorDash's authorized organizational servers ($\text{[email protected]}$), rendering the emails non-SPAM.
- Credential Access: N/A (The vulnerability was the vector, relying on recipient action—such as clicking a link in the spoofed email—for credential theft or social engineering).
- Discovery: HTML Injection ($\text{Stored XSS}$) in the budget name field.
- Lateral Movement: Not applicable.
- Collection: Not applicable.
- Exfiltration: Not applicable. Email content was crafted using HTML injection and tags set to $\text{display:none}$ to hide legitimate budget information and replace it with malicious content.
- Impact: Facilitation of highly convincing phishing/social engineering campaigns.
## Impact Assessment
- Financial: Not quantified; dispute over researcher compensation led to a breakdown.
- Data Breach: No evidence of DoorDash user data exposure via this specific flaw.
- Operational: Minor impact until patched. Primary impact was operational friction due to the disclosure dispute.
- Reputational: Significant reputational damage due to the protracted disclosure dispute (over 15 months) and accusations of bad faith from both the researcher and the company.
## Indicators of Compromise
- Network Indicators: None identified, as the attack vector utilized legitimate organizational email infrastructure.
- File Indicators: None identified.
- Behavioral Indicators: Creation of DoorDash for Business accounts configured to send excessively complex or unusual budget notification emails.
## Response Actions
- Containment measures: The vulnerability was patched by the week of November 3, 2025.
- Eradication steps: Input sanitization was implemented on the 'Budget name input field,' preventing raw HTML rendering in outgoing email templates.
- Recovery actions: Unknown. DoorDash removed the researcher from the bug bounty program.
## Lessons Learned
- Input Validation Criticality: Reliance on email client defenses is insufficient when input is rendered from trusted organizational sources. The flaw was a classic stored payload rendering issue.
- Disclosure Process Management: A 15-month exposure time for a significant phishing vector indicates severe process failure in triage and prioritization of reported vulnerabilities.
- Researcher Relations: Misaligned expectations regarding financial compensation and disclosure timelines rapidly derailed ethical disclosure, leading to public conflict.
## Recommendations
- Immediately audit all input fields within the DoorDash for Business platform (and similar third-party customer-facing tools) that feed into server-initiated communication channels (email, SMS) for stored cross-site scripting ($\text{XSS}$) vulnerabilities.
- Implement strict, server-side output encoding or sanitization for all fields rendered in transactional emails, regardless of perceived risk level.
- Establish clear remediation service level agreements ($\text{SLAs}$) for vulnerability reports, especially severe vectors like email spoofing, to prevent long periods of unresolved exposure.