Security Update News
Update Information
| Title | DoorDash Hack |
|---|---|
| Update ID | SCHNEIER:5529D07287D9255C482570CB3457F5E0 |
| Type | schneier |
| Published | 2025-05-20T11:05:00 |
| Last Updated | 2025-05-20T04:17:44 |
Security Impact
| CVSS Score | 0.0 |
|---|---|
| Severity | NONE |
| Attack Vector |
Affected CVEs
Update Details
> The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a fraudulent customer account in the DoorDash app. Then, using DoorDash employee credentials, he manually assigned the orders to driver accounts he and the others involved had created. Devagiri would then mark the undelivered orders as complete and prompt DoorDash’s system to pay the driver accounts. Then he’d switch those same orders back to “in process” and do it all over again. Doing this “took less than five minutes, and was repeated hundreds of times for many of the orders,” writes the US Attorney’s Office.
Interesting flaw in the software design. He probably would have gotten away with it if he’d kept the numbers small. It’s only when the amount missing is too big to ignore that the investigations start.