A security vulnerability in DoorDash’s systems allowed anyone to send branded emails from their servers, enabling potential phishing campaigns. The issue was patched after a prolonged disclosure process, amid disputes between the researcher and the company. #DoorDash #EmailSpoofing
Keypoints
- A flaw in DoorDash’s platform enabled sending fully branded emails through their servers.
- The vulnerability was exploited by creating fake “official” DoorDash emails for phishing.
- The researcher reported the issue after a 15-month delay in patching it.
- DoorDash accused the researcher of attempting extortion during disclosure negotiations.
- The vulnerability did not expose user data but raised concerns over email-based scams.