HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.
HideTechdirt is off for the long weekend! We'll be back with our regular posts tomorrow.

Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem

from the utterly-oblivious dept

Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC's ongoing investigation of that outbreak is grabbing most of the public's attention, the company's quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.

Apparently, Chipotle’s human resources department has been replying to new job applicants using the "chipotlehr.com" domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:
Noticing this potentially major problem, a security researcher named Michael Kohlman (applying to apparently maintain unemployment benefits while between gigs) grabbed the domain for $30. He then reached out to Chipotle to explain the potential liability of the company's sloppy security and offer the company the domain, for free. Chipotle's response? Utter and total denial that there was any problem whatsoever:
"Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.

"The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”
That's a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked "operational significance" is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.

Filed Under: email, hr, security
Companies: chipotle


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 20 Nov 2015 @ 7:44am

    Small silver lining

    They may be idiots when it comes to security, but give them at least some credit, when informed about a glaring potential problem, they at least didn't try and sue the one who pointed it out to them.

    reply to this | link to this | view in chronology ]

  • identicon
    beech, 20 Nov 2015 @ 8:24am

    no problem?

    So who am i to believe about a websites security practices? A security researcher or someone employed by the company to make them look good no matter what?

    And if sending emails on an unsecured domain is perfectly fine and mo problem, why did they bother to change it?!

    reply to this | link to this | view in chronology ]

  • identicon
    Stephen, 20 Nov 2015 @ 8:45am

    SPAM filters

    I'm actually surprised the emails went through. The email already has a lot of marketing speak and then you add no valid dns records. It really looks like SPAM or a phishing attempt.

    reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 20 Nov 2015 @ 9:04am

    When I lived in Washington, I went to a Chipotle once. I found it to be very, very similar to the less-famous Qdoba, but with one significant difference: Chipotle is a victim of "Mexican restaurant disease." If you haven't heard of it, this is a mental condition known to frequently affect people who run Mexican restaurants, which causes them to think everything should be extremely hot (as in spicy, not temperature) and to treat picante as an acceptable substitute for flavor. Qdoba did not have that problem.

    I didn't go back. With this E. Coli outbreak, I'm glad I didn't.

    reply to this | link to this | view in chronology ]

    • icon
      Dan (profile), 20 Nov 2015 @ 9:26am

      Re:

      I agree that Chipotle is very similar to Qdoba (and Moe's, for that matter), both of which I prefer over Chipotle if given the option. But I've eaten at a lot of Mexican restaurants, and I don't recall any where I had trouble finding a dish that wasn't uncomfortably spicy. Maybe you've been eating at the wrong restaurants.

      reply to this | link to this | view in chronology ]

  • identicon
    alternatives(), 20 Nov 2015 @ 9:10am

    There is a reason no one has heard of it.

    Chipotle is a victim of "Mexican restaurant disease." If you haven't heard of it,

    That's because it is made up "disease". Doesn't exist outside the head of the person who's claiming the existence of the condition.

    reply to this | link to this | view in chronology ]

    • identicon
      Michael, 20 Nov 2015 @ 10:47am

      Re: There is a reason no one has heard of it.

      You appear to be suffering from the "claiming real diseases are made up diseases" disease.

      I suggest you seek medical help immediately.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2015 @ 9:10am

    Never ate there, never will.

    reply to this | link to this | view in chronology ]

  • icon
    Dan (profile), 20 Nov 2015 @ 9:22am

    Misleading headline

    Your headline says "Chipotle exposes private data"--how, precisely, does Chipotle do this? You've described a hypothetical scenario, which so far as you know (or at least, so far as you've said) hasn't actually happened, in which a job applicant might inadvertently expose their private data to a malicious third party. But so far as you've described, Chipotle hasn't exposed anything to anybody. Could you clarify, or fix your headline?

    This isn't to defend them--this is a completely boneheaded mistake. But what it is, is bad enough that you don't need to invent other things that it isn't.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2015 @ 9:35am

      Re: Misleading headline

      If I leave my house empty, unlocked and unguarded, have I not exposed it to potential thieves, regardless of if any thieves actually take advantage?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Nov 2015 @ 6:52pm

        Re: Re: Misleading headline

        I would say Techdirt is exposed right now. Same goes for every other site that is online.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2015 @ 9:39am

      Re: Misleading headline

      "congratulations, Mr XYZ
      you have accomplished the next selection stage!!!
      we need to check some details before we send you the link to our internal hr website,
      please send us your SSN via answering to this email..."

      reply to this | link to this | view in chronology ]

      • icon
        Dan (profile), 20 Nov 2015 @ 10:13am

        Re: Re: Misleading headline

        The analogy presented by AC#1, and the hypothetical presented by AC#2, are both completely off-base.

        To AC#1: Your analogy would work if Chipotle were leaving their systems unsecured. As far as this article portrays, though, there's no lack of security on their systems.

        To AC#2: The email that was sent did not request any information, and it specifically directed that recipients not reply to it. How exactly do you think your hypothetical relates to this story?

        Again, there's just no excuse for their setting up their autoresponder to reply from an address they don't own, on a domain they don't own, or have any control over. That's bad enough, and it makes them look like complete n00bz. Reveal their incompetence for what it is, but don't invent harms that haven't happened.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Nov 2015 @ 10:51am

          Re: Re: Re: Misleading headline

          There is a lack of security in their method. You're being obtuse.

          reply to this | link to this | view in chronology ]

          • icon
            Dan (profile), 20 Nov 2015 @ 11:17am

            Re: Re: Re: Re: Misleading headline

            You're making an orthogonal point. Yes, their (former) method is poorly thought out. Yes, it could result (mind you, "could result" is not the same as "has resulted") in other people (i.e., not them) sending private information to malicious third parties. But that's not what the article claims. The article--specifically, the headline--claims, "Chipotle exposes private data". That claim, at least as applied to the rest of the article, is false--Chipotle has exposed no data at all. The worst that can be said is that they've created a risk that someone else will expose private data.

            reply to this | link to this | view in chronology ]

            • identicon
              Klaus, 21 Nov 2015 @ 9:20am

              Re: Re: Re: Re: Re: Misleading headline

              And neither is "could" the same as "hasn't".

              The point has been well made that neither Chipotle or yourself are in any position to claim, let alone prove the opposite, that no data has been exposed. They have put their job applicants personal data at risk and seemingly coudn't care less.

              They should be birched for this.

              reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Nov 2015 @ 11:34am

          Re: Re: Re: Misleading headline

          How many replies do you think noreply@everydomain.ever get? A lot.

          Their mail admin should have stopped this from ever happening by saying "Boss, this is stupid as hell. People are not always brilliant and will reply to these messages. We should snatch up the domain even if all the responses die in the sender's queue, and we're going to end up in just about every major email provider's spam filter because there isn't a MX record in any DNS server for this domain and our outgoing mail would fail a SPF check. Or we could just use noreply@chipotle.com.' Two solutions that could have averted introducing additional risk. The first is configuring the outgoing email to use a legitimate domain as the sender/reply-to. The other is one annual 30$ credit card charge and an hour's worth of work.

          The quote:
          "The chipotlehr.com domain is not a functional address and never has been,”
          -is simply not true. It wasn't functional at a point in time, but it sure as hell is now, just not for them.

          Another quote:
          “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this."
          -I beg to differ, but yes, there is a security risk. Also, sending an email almost guarantees soliciting a response from some percentage of recipients. They asked people to follow a link, but didn't explain why. If it didn't have operational significance, why the hell did they need to use the chipotlehr.com domain in the first place?

          They sent email with a faked from address, for a domain they did not own or have permission to use for this purpose, and used it for official company communications that would almost certainly wind up with PII exposure, even if the response rate was minimal. That's a risk. It could possibly be construed as negligence. I certainly think it is in the English definition, but I'm no lawyer so I can't speak to the legal definition.

          While technically their own site, that they actually operate, didn't have this risk/vulnerability, their HR business practices did introduce risk and a vulnerability for those who were attempting to communicate with their HR department. Because some dipshit at Chipotle didn't want to use noreply@chipotle.com, they opened up an easy avenue for mischief, fraud, or identity theft for potential employees.

          As a final point, where in the screenshot of Krebs' email does it say "Do not reply to this message, it is an un-monitored mailbox"? It doesn't, nor anything even close, and it sure as hell doesn't tell the recipient that any replies will go to a system Chipotle doesn't own or control. Go read the article on Krebs' site and tell me that nobody was ever at risk. The person who registered the domain got a LOT of replies and information. It would have been trivial to get those applicants to give up any and all information the chipotlehr.com domain owner wanted. Those people are job hunting and would, in some cases, be quite desperate and willing to do whatever is asked.

          Luckily for Chipotle it was a decent person who found this gap and filled it for them. They should be thanking this guy and (ironically) offering him a job.

          reply to this | link to this | view in chronology ]

          • identicon
            Klaus, 21 Nov 2015 @ 9:29am

            Re: Re: Re: Re: Misleading headline

            +1 Your comment about job seekers being desperate is esp. valid

            "In order to process your application, please send $100 processing fee via Western Union to our Nigerian head office.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2015 @ 11:32am

      Re: Misleading headline

      True... reading everything presented here, I would have come to a completely misled conclusion about what's happening if I didn't actually work in this field.

      For a clearer explanation of the issue:

      Chipotle forged the "from" address on their HR notification emails (likely to prevent replies from reaching them). The forged "from" domain they chose was "chipotlehr.com" which was an unregistered domain.

      This means that anyone replying to any email from these addresses will get an eventual reply back from their mail server stating that the message was undeliverable.

      What the security researcher did was register the domain, for the express purpose of:

      Preventing a third party from registering the domain and then pretending to be Chipotle HR by receiving all the emails from people who replied to the "do not reply" email address.

      So what Chipotle was actually doing is setting up a phishing attack for anyone to take advantage of, with the added bonus for the phisher that the conversation was started between a legit Chipotle HR representative and the potential victims.

      To make it clearer for Chipotle: this is the equivalent of sending out letters to all the applicants with a return address for a PO box they don't actually own.

      Anything the recipients actually SEND will go to that PO box, and whoever actually owns it can do what they like with what they receive.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2015 @ 9:35am

    since this will NEVER reach mainstream news...

    sell the domain in ebay india!!!

    I am sure any young entrepreneur indian- zuckerberg can manage to get millions
    just asking for an application fee

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2015 @ 9:42am

      Re:

      US is plenty of unemployed applicants,
      who would all pay a small fee for the application...
      after he buys himself a couple of indian cities and politicians he will be untouchable...

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2015 @ 9:57am

    Domain Name: CHIPOTLEHR.COM
    Registry Domain ID:
    Registrar WHOIS Server: whois.domaindiscover.com
    Registrar URL: https://www.tierra.net
    Updated Date: 2015-11-13T12:03:30Z
    Creation Date: 2015-11-13T12:02:13Z

    reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 20 Nov 2015 @ 12:39pm

      Re:

      ;; QUESTION SECTION:
      ;chipotlehr.com. IN MX

      ;; ANSWER SECTION:
      chipotlehr.com. 3600 IN MX 10 mx1.daemonmail.net.
      chipotlehr.com. 3600 IN MX 10 mx2.daemonmail.net.

      And?

      But hey, this guy knows how to set up domain records. Better than many commercial entities. And rfc 2142 compliant. Someone hire him.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Nov 2015 @ 10:38am

    Good luck hiring someone who can fix the problem, any admin that knows their stuff wouldn't respond to an email from that domain.

    reply to this | link to this | view in chronology ]

  • icon
    David Dowdle (profile), 20 Nov 2015 @ 11:17am

    Couldn't the person that now owns the domain put up an SPF record different than the email server that Chipotle is using and cause their emails to be rejected by many spam filters?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Nov 2015 @ 11:37am

      Re:

      yup. But most spam filters will reject emails with forged from headers anyway.

      So what's really been happening for the most part is HR has been firing off responses to applicants that never arrive... but Chipotle would never know, as they weren't expecting a response.

      reply to this | link to this | view in chronology ]

      • icon
        David Dowdle (profile), 20 Nov 2015 @ 12:08pm

        Re: Re:

        My understanding is that spam filters can only know it's forged if the domain has an SPF record on it with authorized mail servers. That's not the case here.

        reply to this | link to this | view in chronology ]

  • icon
    orbitalinsertion (profile), 20 Nov 2015 @ 12:40pm

    Security?

    They don't understand the internet.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 21 Nov 2015 @ 8:10am

    Occam's Razor

    When I saw a headline indicating that somebody had made a incomprehensibly bad business decision, my first instinct was to go an image search for the person's name to see if they looked like a diversity hire.

    That doesn't appear to be the case here, so what is Chris Arnold's excuse?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 15 May 2019 @ 2:19am

    Chipotle is one of the big restaurants in the world, and the food in chipotle is delicious. Chipotle giving $520 gift card for the customers who are participated in the latest chipotle feedback survey. For more information about chipotle survey visit this official website https://www.surveylookup.com/chipotlefeedback-com/

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.