A shocking vulnerability in DoorDash's systems has left the door wide open for cybercriminals to launch highly convincing phishing attacks, potentially putting countless users at risk. But here's where it gets messy: the discovery of this flaw has sparked a heated dispute between the security researcher who found it and DoorDash itself.
Imagine this: anyone, regardless of their intentions, could create a free DoorDash for Business account and exploit a simple flaw to send seemingly legitimate emails directly from DoorDash's official servers. These emails, complete with DoorDash's branding and sent from the trusted 'no-reply@doordash.com' address, would land straight in recipients' inboxes, bypassing spam filters. This vulnerability, discovered by a researcher operating under the pseudonym 'doublezero7', essentially handed cybercriminals a golden ticket for phishing scams and social engineering attacks.
And this is the part most people miss: the researcher claims the flaw was shockingly easy to exploit. By manipulating a budget name input field, they could inject malicious HTML code into emails, allowing them to craft deceptive messages that appeared entirely authentic. DoorDash, however, argues that the researcher's actions crossed ethical lines. The company alleges that the researcher demanded a substantial payment in exchange for disclosing the vulnerability within a specific timeframe, a tactic DoorDash views as extortion.
The researcher, frustrated by what they perceived as DoorDash's slow response to their initial reports, eventually went public with a summary of the vulnerability. This move, they claim, finally pressured DoorDash into patching the flaw after a staggering 15 months of inaction. DoorDash, on the other hand, maintains that the researcher's demands were unreasonable and that they acted within their rights to ban the researcher from their bug bounty program.
This case highlights the delicate balance between responsible disclosure and the financial incentives often associated with vulnerability research. While the researcher believes they were justified in their actions, DoorDash sees it as a breach of ethical conduct. Where do you stand? Should researchers be entitled to compensation for their discoveries, even if their methods are controversial? Or does the potential for extortion outweigh the benefits of incentivizing vulnerability reporting?
The now-patched vulnerability, while not directly exposing user data or granting access to internal systems, served as a stark reminder of the ever-present threat of phishing attacks. It also underscores the need for clear communication and mutually agreed-upon guidelines between security researchers and companies to prevent such disputes from derailing the crucial process of identifying and fixing vulnerabilities before they can be exploited by malicious actors. Interestingly, this DoorDash flaw bears a striking resemblance to a similar vulnerability discovered in Uber's email systems in 2022, raising concerns about the prevalence of such weaknesses in major platforms.
