Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem
from the utterly-oblivious dept
Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC’s ongoing investigation of that outbreak is grabbing most of the public’s attention, the company’s quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.
Apparently, Chipotle?s human resources department has been replying to new job applicants using the “chipotlehr.com” domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:
“Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle?s spokesman Chris Arnold says the company doesn?t see this as a big deal at all.
“The chipotlehr.com domain is not a functional address and never has been,? Arnold wrote in an emailed statement. ?It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.?
That’s a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked “operational significance” is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.
Comments on “Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem”
Small silver lining
They may be idiots when it comes to security, but give them at least some credit, when informed about a glaring potential problem, they at least didn’t try and sue the one who pointed it out to them.
Re: Small silver lining
Exactly what I was going to point out.
At least they didn’t sick the lawyers. Yet.
But now that they have egg on their face, and are exposed as incompetent fools, that lawyers may yet be unleashed.
Re: Re: Small silver lining
They better wash that egg off their face ASAP, or else they might be risking a salmonella outbreak as well.
Re: Re: Small silver lining
Re: Re: Re: Small silver lining
They would have guac on their face, but that costs extra.
Re: Re: Re:2 Small silver lining
The don’t eat at Chipotle because of the e. coli.
Re: Re: Re:3 Small silver lining
I only eat there if the e. coli is sustainably sourced.
Re: Small silver lining
It’s sad that’s something we can look at as a silver lining.
no problem?
So who am i to believe about a websites security practices? A security researcher or someone employed by the company to make them look good no matter what?
And if sending emails on an unsecured domain is perfectly fine and mo problem, why did they bother to change it?!
SPAM filters
I’m actually surprised the emails went through. The email already has a lot of marketing speak and then you add no valid dns records. It really looks like SPAM or a phishing attempt.
Re: SPAM filters
They probably have on the site a notice about checking spam filters.
When I lived in Washington, I went to a Chipotle once. I found it to be very, very similar to the less-famous Qdoba, but with one significant difference: Chipotle is a victim of “Mexican restaurant disease.” If you haven’t heard of it, this is a mental condition known to frequently affect people who run Mexican restaurants, which causes them to think everything should be extremely hot (as in spicy, not temperature) and to treat picante as an acceptable substitute for flavor. Qdoba did not have that problem.
I didn’t go back. With this E. Coli outbreak, I’m glad I didn’t.
Re: Re:
I agree that Chipotle is very similar to Qdoba (and Moe’s, for that matter), both of which I prefer over Chipotle if given the option. But I’ve eaten at a lot of Mexican restaurants, and I don’t recall any where I had trouble finding a dish that wasn’t uncomfortably spicy. Maybe you’ve been eating at the wrong restaurants.
There is a reason no one has heard of it.
Chipotle is a victim of “Mexican restaurant disease.” If you haven’t heard of it,
That’s because it is made up “disease”. Doesn’t exist outside the head of the person who’s claiming the existence of the condition.
Re: There is a reason no one has heard of it.
You appear to be suffering from the “claiming real diseases are made up diseases” disease.
I suggest you seek medical help immediately.
Never ate there, never will.
Misleading headline
Your headline says “Chipotle exposes private data”–how, precisely, does Chipotle do this? You’ve described a hypothetical scenario, which so far as you know (or at least, so far as you’ve said) hasn’t actually happened, in which a job applicant might inadvertently expose their private data to a malicious third party. But so far as you’ve described, Chipotle hasn’t exposed anything to anybody. Could you clarify, or fix your headline?
This isn’t to defend them–this is a completely boneheaded mistake. But what it is, is bad enough that you don’t need to invent other things that it isn’t.
Re: Misleading headline
If I leave my house empty, unlocked and unguarded, have I not exposed it to potential thieves, regardless of if any thieves actually take advantage?
Re: Re: Misleading headline
I would say Techdirt is exposed right now. Same goes for every other site that is online.
Re: Misleading headline
“congratulations, Mr XYZ
you have accomplished the next selection stage!!!
we need to check some details before we send you the link to our internal hr website,
please send us your SSN via answering to this email…”
Re: Re: Misleading headline
The analogy presented by AC#1, and the hypothetical presented by AC#2, are both completely off-base.
To AC#1: Your analogy would work if Chipotle were leaving their systems unsecured. As far as this article portrays, though, there’s no lack of security on their systems.
To AC#2: The email that was sent did not request any information, and it specifically directed that recipients not reply to it. How exactly do you think your hypothetical relates to this story?
Again, there’s just no excuse for their setting up their autoresponder to reply from an address they don’t own, on a domain they don’t own, or have any control over. That’s bad enough, and it makes them look like complete n00bz. Reveal their incompetence for what it is, but don’t invent harms that haven’t happened.
Re: Re: Re: Misleading headline
There is a lack of security in their method. You’re being obtuse.
Re: Re: Re:2 Misleading headline
You’re making an orthogonal point. Yes, their (former) method is poorly thought out. Yes, it could result (mind you, “could result” is not the same as “has resulted”) in other people (i.e., not them) sending private information to malicious third parties. But that’s not what the article claims. The article–specifically, the headline–claims, “Chipotle exposes private data”. That claim, at least as applied to the rest of the article, is false–Chipotle has exposed no data at all. The worst that can be said is that they’ve created a risk that someone else will expose private data.
Re: Re: Re:3 Misleading headline
And neither is “could” the same as “hasn’t”.
The point has been well made that neither Chipotle or yourself are in any position to claim, let alone prove the opposite, that no data has been exposed. They have put their job applicants personal data at risk and seemingly coudn’t care less.
They should be birched for this.
Re: Re: Re: Misleading headline
How many replies do you think noreply@everydomain.ever get? A lot.
Their mail admin should have stopped this from ever happening by saying “Boss, this is stupid as hell. People are not always brilliant and will reply to these messages. We should snatch up the domain even if all the responses die in the sender’s queue, and we’re going to end up in just about every major email provider’s spam filter because there isn’t a MX record in any DNS server for this domain and our outgoing mail would fail a SPF check. Or we could just use noreply@chipotle.com.’ Two solutions that could have averted introducing additional risk. The first is configuring the outgoing email to use a legitimate domain as the sender/reply-to. The other is one annual 30$ credit card charge and an hour’s worth of work.
The quote:
“The chipotlehr.com domain is not a functional address and never has been,”
-is simply not true. It wasn’t functional at a point in time, but it sure as hell is now, just not for them.
Another quote:
“It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this.”
-I beg to differ, but yes, there is a security risk. Also, sending an email almost guarantees soliciting a response from some percentage of recipients. They asked people to follow a link, but didn’t explain why. If it didn’t have operational significance, why the hell did they need to use the chipotlehr.com domain in the first place?
They sent email with a faked from address, for a domain they did not own or have permission to use for this purpose, and used it for official company communications that would almost certainly wind up with PII exposure, even if the response rate was minimal. That’s a risk. It could possibly be construed as negligence. I certainly think it is in the English definition, but I’m no lawyer so I can’t speak to the legal definition.
While technically their own site, that they actually operate, didn’t have this risk/vulnerability, their HR business practices did introduce risk and a vulnerability for those who were attempting to communicate with their HR department. Because some dipshit at Chipotle didn’t want to use noreply@chipotle.com, they opened up an easy avenue for mischief, fraud, or identity theft for potential employees.
As a final point, where in the screenshot of Krebs’ email does it say “Do not reply to this message, it is an un-monitored mailbox”? It doesn’t, nor anything even close, and it sure as hell doesn’t tell the recipient that any replies will go to a system Chipotle doesn’t own or control. Go read the article on Krebs’ site and tell me that nobody was ever at risk. The person who registered the domain got a LOT of replies and information. It would have been trivial to get those applicants to give up any and all information the chipotlehr.com domain owner wanted. Those people are job hunting and would, in some cases, be quite desperate and willing to do whatever is asked.
Luckily for Chipotle it was a decent person who found this gap and filled it for them. They should be thanking this guy and (ironically) offering him a job.
Re: Re: Re:2 Misleading headline
+1 Your comment about job seekers being desperate is esp. valid
“In order to process your application, please send $100 processing fee via Western Union to our Nigerian head office.
Re: Misleading headline
True… reading everything presented here, I would have come to a completely misled conclusion about what’s happening if I didn’t actually work in this field.
For a clearer explanation of the issue:
Chipotle forged the “from” address on their HR notification emails (likely to prevent replies from reaching them). The forged “from” domain they chose was “chipotlehr.com” which was an unregistered domain.
This means that anyone replying to any email from these addresses will get an eventual reply back from their mail server stating that the message was undeliverable.
What the security researcher did was register the domain, for the express purpose of:
Preventing a third party from registering the domain and then pretending to be Chipotle HR by receiving all the emails from people who replied to the “do not reply” email address.
So what Chipotle was actually doing is setting up a phishing attack for anyone to take advantage of, with the added bonus for the phisher that the conversation was started between a legit Chipotle HR representative and the potential victims.
To make it clearer for Chipotle: this is the equivalent of sending out letters to all the applicants with a return address for a PO box they don’t actually own.
Anything the recipients actually SEND will go to that PO box, and whoever actually owns it can do what they like with what they receive.
since this will NEVER reach mainstream news…
sell the domain in ebay india!!!
I am sure any young entrepreneur indian- zuckerberg can manage to get millions
just asking for an application fee
Re: Re:
US is plenty of unemployed applicants,
who would all pay a small fee for the application…
after he buys himself a couple of indian cities and politicians he will be untouchable…
Domain Name: CHIPOTLEHR.COM
Registry Domain ID:
Registrar WHOIS Server: whois.domaindiscover.com
Registrar URL: https://www.tierra.net
Updated Date: 2015-11-13T12:03:30Z
Creation Date: 2015-11-13T12:02:13Z
Re: Re:
;; QUESTION SECTION:
;chipotlehr.com. IN MX
;; ANSWER SECTION:
chipotlehr.com. 3600 IN MX 10 mx1.daemonmail.net.
chipotlehr.com. 3600 IN MX 10 mx2.daemonmail.net.
And?
But hey, this guy knows how to set up domain records. Better than many commercial entities. And rfc 2142 compliant. Someone hire him.
Good luck hiring someone who can fix the problem, any admin that knows their stuff wouldn’t respond to an email from that domain.
Couldn’t the person that now owns the domain put up an SPF record different than the email server that Chipotle is using and cause their emails to be rejected by many spam filters?
Re: Re:
yup. But most spam filters will reject emails with forged from headers anyway.
So what’s really been happening for the most part is HR has been firing off responses to applicants that never arrive… but Chipotle would never know, as they weren’t expecting a response.
Re: Re: Re:
My understanding is that spam filters can only know it’s forged if the domain has an SPF record on it with authorized mail servers. That’s not the case here.
Security?
They don’t understand the internet.
Occam's Razor
When I saw a headline indicating that somebody had made a incomprehensibly bad business decision, my first instinct was to go an image search for the person’s name to see if they looked like a diversity hire.
That doesn’t appear to be the case here, so what is Chris Arnold’s excuse?
Chipotle is one of the big restaurants in the world, and the food in chipotle is delicious. Chipotle giving $520 gift card for the customers who are participated in the latest chipotle feedback survey. For more information about chipotle survey visit this official website https://www.surveylookup.com/chipotlefeedback-com/