A vulnerability in DoorDash's systems could allow anyone to send "official" DoorDash-themed emails right from company's authorized servers, paving a near-perfect phishing channel.
DoorDash has now patched the issue, but a contentious dispute has erupted between the researcher who reported the vulnerability and the company, with both sides accusing each other of acting improperly.
Anyone could send 'official' DoorDash emails
A simple flaw in DoorDash for Business platform could let anyone send fully branded "official" emails directly from [email protected].
Discovered by a pseudonymous security researcher doublezero7, the flaw could be exploited by threat actors to launch highly convincing phishing campaigns and social engineering scams.
Put simply, anyone could create a free DoorDash for Business account and then use backend admin dashboards to add a new 'Employee' (with an arbitrary name and email address), assign them meal-expense budgets, and craft emails containing arbitrary HTML.
The resulting message, bearing DoorDash's official template, would arrive seamlessly in the recipient's mailbox, not spam:
Researcher-crafted email sent via DoorDash's official servers (BleepingComputer)
The security researcher behind this discovery recently approached BleepingComputer and provided evidence of the vulnerability to demonstrate how it could be exploited by nefarious actors.
"The root was Budget name input field. It was stored as raw text in database and forwarded to email where it would be rendered," the researcher told BleepingComputer.
... continue reading