Monday, November 11, 2019

Doordash and its security vulnerabilities



Doordash has been a big player in food delivery app ecosystem and they, for a lack of better word, did an oopsie.




Doordash had a huge data breach back in (godknowswhen) but I’m sure it was 2018 and people kept telling them that their accounts were hacked and doordash kept vehemently denying that it happened. Earliest account of it was on r/doordash subreddit in October last year. And since then people have been complaining incessantly about it.
Doordash kept denying that there was a breach and at which point I had to cancel my doordash account.

To which doordash deactivated my account but did not delete it.
Now, I was curious if there is a breach or it is just people having really non-secure passwords and are being brute forced.
But I was wrong, there were thousands if not tens of thousands doordash accounts for sale on both clearweb and darkweb. Have a look at this nulled.to link from June 2018. https://www.nulled.to/topic/458936-autobuy-3-for-5-doordash-with-cc-attached/
If you search the forum you can see that there were at least 50 “sellers” of doordash accounts with detailed instructions of how to order from the said hacked accounts. Pretty soon, people started getting their accounts hacked by the dozen and then they ran to doordash support. This is where DoorDash support didn’t care much. They could have empathized with the clients but instead just decided to either cancel their accounts or refuse refunds.
Finally, on September 26 of this year, a full year and three months after the first known hacked order, doordash posted on its blog about the breach.




If you look at what Doordash shared, they said that the passwords were hashed and salted. Well they were not hashed and salted enough(in layman terms) or had poor encryption that a basement hacker could hack it and sell the accounts for a dollar online.
Look, breaches happen. But how you handle them as an organization matters a lot. Doordash did not post about this breach on their website at all, just on the blog.
Funnily enough, the robots.txt file of doordash says “disallow security notice” which hides it from google so people can’t even search for it.




In conclusion, if Doordash was transparent about the breach, they could have massively improved the outcome and mitigated customer loss from the platform.
-Nikhil Narayan Daphale
at
Labels: , , ,
Subscribe to: Posts (Atom)

Doordash and its security vulnerabilities Doordash has been a big player in food delivery app ecosystem and they, for a lack of bet...

  • (no title)
    Doordash and its security vulnerabilities Doordash has been a big player in food delivery app ecosystem and they, for a lack of bet...