top of page
OceanVertical

The Email Spoofing Flaw in DoorDash’s Platform

  • marketing14560
  • 4 days ago
  • 2 min read
doordash scam

Imagine you wake up to an email from “no‑reply@doordash.com" saying you’ve been granted a $20 voucher. Looks legit. But what if that email was sent from DoorDash’s servers and not a scammer spoofing the address, but a flaw inside the system that let anyone craft that message? That’s exactly the scenario unearthed when security researcher “doublezero7” uncovered a vulnerability at DoorDash’s “for Business” platform, and the aftermath spiraled into a messy disclosure dispute.


The problem stemmed from a flaw in the DoorDash for Business platform: via a free business account, the researcher was able to add an arbitrary “Employee” with any name/email, then draft an email in DoorDash’s branded template and send it through DoorDash’s own “no‑reply@doordash.com


Why It Matters

  • It illustrates how user‑input fields on backend systems, when not sanitized, can be leveraged not just for UI issues but for real world risk (email templates).

  • It also raises industry questions about bug bounty programs: what counts as in‑scope vs out‑of‑scope, how quickly companies respond, and how researchers and organisations should cooperate to avoid adversarial escalation.

  • The public dispute, with the researcher alleging neglect and the company accusing extortion, adds strain to the already delicate trust between security researchers and platform operators, a trust that is vital to a healthy vulnerability disclosure ecosystem.


Takeaway

Even basic systems like business accounts or backend forms can turn into big security risks when linked to trusted websites. To stay safe, we should clean up all user input, keep an eye on how emails are sent, and create clear and fair ways to report bugs so people work together instead of fighting.


Stay safe out there

-Mars


New Funnies


What’s a hacker’s favorite breakfast?

 Spam and eggs.


What do you call a DoorDash email that says you won $1,000?

A phish filet.


Why did the DoorDash user stop opening emails?

Too many hot deals, not enough hot meals.


I tried to scam DoorDash. what happened?

They delivered justice instead.

 
 
 

Comments

bottom of page