[DISCLOSURE] DoorDash Enabled 5-Year XSS/HTML Injection Flaw via Official Email; VDP Misclassified Report for 15 Months
A critical stored HTML Injection vulnerability existed in DoorDash's email system for five years, allowing any free account to send phishing emails from the trusted no-reply@doordash. com domain. This flaw enabled attackers to bypass typical email security barriers by leveraging a legitimate sender address, significantly increasing the likelihood of successful phishing attacks. The vulnerability was misclassified in DoorDash's HackerOne Vulnerability Disclosure Program (VDP) for 15 months, delaying remediation. Although no known exploits are currently in the wild, the potential for abuse is high due to the trusted nature of the sender domain and the zero-barrier exploitation method. This issue highlights risks in vendor vulnerability management and the importance of accurate triage. European organizations using DoorDash services or receiving emails from this domain could be targeted for phishing campaigns exploiting this flaw. Immediate mitigation involves enhanced email filtering, user awareness, and verification of email authenticity. Countries with high DoorDash usage and significant e-commerce sectors, such as the UK, Germany, and France, are most likely to be affected. The severity is assessed as critical given the impact on confidentiality, integrity, and the ease of exploitation without authentication or user interaction requirements.
AI Analysis
Technical Summary
The disclosed vulnerability is a critical stored HTML Injection flaw in DoorDash's email system that persisted for approximately five years. This vulnerability allowed any user with a free DoorDash account to inject malicious HTML content into emails sent from the official no-reply@doordash.com domain. Because these emails originated from a trusted and verified domain, attackers could craft phishing emails that bypassed many traditional email security controls such as spam filters and domain-based message authentication (e.g., DMARC, SPF). The flaw effectively enabled zero-barrier phishing campaigns, as no elevated privileges or complex exploitation steps were required. The vulnerability was reported but misclassified within DoorDash's HackerOne Vulnerability Disclosure Program for 15 months, delaying the patching process. Although there are no known active exploits in the wild, the potential impact is severe due to the trusted sender domain and the ability to deliver malicious payloads directly to recipients’ inboxes. This vulnerability underscores the risks of improper input validation and the critical need for rigorous triage and classification in vulnerability management programs. The lack of patch links suggests remediation may still be pending or undisclosed publicly. The issue was first publicly discussed on Reddit's NetSec community and is considered highly newsworthy due to its critical nature and the long duration it remained unaddressed.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily through phishing attacks that could lead to credential theft, malware installation, or business email compromise. Since the phishing emails would appear to come from a legitimate and trusted DoorDash domain, users are more likely to trust and engage with malicious content, increasing the success rate of social engineering attacks. Organizations with employees who use DoorDash services or receive communications from DoorDash are at heightened risk. The potential compromise of user credentials or the delivery of malware could lead to data breaches, financial fraud, and disruption of business operations. Additionally, the reputational damage to DoorDash and its partners could indirectly affect European businesses relying on their services. The delayed remediation due to misclassification also highlights systemic risks in vulnerability management that could affect supply chain security. Overall, the impact extends beyond DoorDash customers to any entity targeted via phishing leveraging this vulnerability.
Mitigation Recommendations
1. Implement advanced email filtering solutions that incorporate heuristic and behavioral analysis to detect phishing attempts, even from trusted domains. 2. Employ Domain-based Message Authentication, Reporting & Conformance (DMARC), SPF, and DKIM policies rigorously and monitor for anomalies in email sending patterns. 3. Educate employees and users about the risk of phishing emails, emphasizing caution even when emails appear from trusted sources. 4. Use email client protections such as disabling automatic HTML rendering or enabling safe reading modes to reduce the risk of malicious HTML execution. 5. Monitor and audit DoorDash-related email traffic for unusual patterns or unexpected content. 6. Engage with DoorDash to confirm remediation status and request transparency on patch deployment. 7. For organizations integrating DoorDash services, consider additional verification steps for communications and transactions initiated via email. 8. Review and improve internal vulnerability disclosure and triage processes to prevent misclassification and delays in remediation of critical vulnerabilities.
Affected Countries
United Kingdom, Germany, France, Netherlands, Spain, Italy
[DISCLOSURE] DoorDash Enabled 5-Year XSS/HTML Injection Flaw via Official Email; VDP Misclassified Report for 15 Months
Description
A critical stored HTML Injection vulnerability existed in DoorDash's email system for five years, allowing any free account to send phishing emails from the trusted no-reply@doordash. com domain. This flaw enabled attackers to bypass typical email security barriers by leveraging a legitimate sender address, significantly increasing the likelihood of successful phishing attacks. The vulnerability was misclassified in DoorDash's HackerOne Vulnerability Disclosure Program (VDP) for 15 months, delaying remediation. Although no known exploits are currently in the wild, the potential for abuse is high due to the trusted nature of the sender domain and the zero-barrier exploitation method. This issue highlights risks in vendor vulnerability management and the importance of accurate triage. European organizations using DoorDash services or receiving emails from this domain could be targeted for phishing campaigns exploiting this flaw. Immediate mitigation involves enhanced email filtering, user awareness, and verification of email authenticity. Countries with high DoorDash usage and significant e-commerce sectors, such as the UK, Germany, and France, are most likely to be affected. The severity is assessed as critical given the impact on confidentiality, integrity, and the ease of exploitation without authentication or user interaction requirements.
AI-Powered Analysis
Technical Analysis
The disclosed vulnerability is a critical stored HTML Injection flaw in DoorDash's email system that persisted for approximately five years. This vulnerability allowed any user with a free DoorDash account to inject malicious HTML content into emails sent from the official no-reply@doordash.com domain. Because these emails originated from a trusted and verified domain, attackers could craft phishing emails that bypassed many traditional email security controls such as spam filters and domain-based message authentication (e.g., DMARC, SPF). The flaw effectively enabled zero-barrier phishing campaigns, as no elevated privileges or complex exploitation steps were required. The vulnerability was reported but misclassified within DoorDash's HackerOne Vulnerability Disclosure Program for 15 months, delaying the patching process. Although there are no known active exploits in the wild, the potential impact is severe due to the trusted sender domain and the ability to deliver malicious payloads directly to recipients’ inboxes. This vulnerability underscores the risks of improper input validation and the critical need for rigorous triage and classification in vulnerability management programs. The lack of patch links suggests remediation may still be pending or undisclosed publicly. The issue was first publicly discussed on Reddit's NetSec community and is considered highly newsworthy due to its critical nature and the long duration it remained unaddressed.
Potential Impact
For European organizations, this vulnerability poses a significant risk primarily through phishing attacks that could lead to credential theft, malware installation, or business email compromise. Since the phishing emails would appear to come from a legitimate and trusted DoorDash domain, users are more likely to trust and engage with malicious content, increasing the success rate of social engineering attacks. Organizations with employees who use DoorDash services or receive communications from DoorDash are at heightened risk. The potential compromise of user credentials or the delivery of malware could lead to data breaches, financial fraud, and disruption of business operations. Additionally, the reputational damage to DoorDash and its partners could indirectly affect European businesses relying on their services. The delayed remediation due to misclassification also highlights systemic risks in vulnerability management that could affect supply chain security. Overall, the impact extends beyond DoorDash customers to any entity targeted via phishing leveraging this vulnerability.
Mitigation Recommendations
1. Implement advanced email filtering solutions that incorporate heuristic and behavioral analysis to detect phishing attempts, even from trusted domains. 2. Employ Domain-based Message Authentication, Reporting & Conformance (DMARC), SPF, and DKIM policies rigorously and monitor for anomalies in email sending patterns. 3. Educate employees and users about the risk of phishing emails, emphasizing caution even when emails appear from trusted sources. 4. Use email client protections such as disabling automatic HTML rendering or enabling safe reading modes to reduce the risk of malicious HTML execution. 5. Monitor and audit DoorDash-related email traffic for unusual patterns or unexpected content. 6. Engage with DoorDash to confirm remediation status and request transparency on patch deployment. 7. For organizations integrating DoorDash services, consider additional verification steps for communications and transactions initiated via email. 8. Review and improve internal vulnerability disclosure and triage processes to prevent misclassification and delays in remediation of critical vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Source Type
- Subreddit
- netsec
- Reddit Score
- 1
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Domain
- gitlab.com
- Newsworthiness Assessment
- {"score":55.1,"reasons":["external_link","trusted_domain","newsworthy_keywords:vulnerability","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["vulnerability"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- true
Threat ID: 69121361d84bdc1ba6926f09
Added to database: 11/10/2025, 4:31:29 PM
Last enriched: 11/10/2025, 4:31:51 PM
Last updated: 11/20/2025, 12:15:39 PM
Views: 65
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Eternidade Stealer: WhatsApp Hijacking for Banking Fraud
MediumCVE-2025-12414: CWE-290 Authentication Bypass by Spoofing in Google Cloud Looker
CriticalIran-Linked Hackers Mapped Ship AIS Data Days Before Real-World Missile Strike Attempt
HighTamperedChef Malware Spreads via Fake Software Installers in Ongoing Global Campaign
HighThird-party failures are becoming the real threat to your security
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.