Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem
from the utterly-oblivious dept
Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC's ongoing investigation of that outbreak is grabbing most of the public's attention, the company's quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.Apparently, Chipotle’s human resources department has been replying to new job applicants using the "chipotlehr.com" domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:
"Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.That's a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked "operational significance" is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.
"The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Small silver lining
[ link to this | view in chronology ]
Re: Small silver lining
At least they didn't sick the lawyers. Yet.
But now that they have egg on their face, and are exposed as incompetent fools, that lawyers may yet be unleashed.
[ link to this | view in chronology ]
Re: Re: Small silver lining
[ link to this | view in chronology ]
Re: Re: Small silver lining
Nonsense. Eggs aren't on the major ingredient list at Chipotle.
Clearly, they have refried beans on their face.
[ link to this | view in chronology ]
Re: Re: Re: Small silver lining
[ link to this | view in chronology ]
Re: Re: Re: Re: Small silver lining
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Small silver lining
[ link to this | view in chronology ]
Re: Small silver lining
[ link to this | view in chronology ]
no problem?
And if sending emails on an unsecured domain is perfectly fine and mo problem, why did they bother to change it?!
[ link to this | view in chronology ]
SPAM filters
[ link to this | view in chronology ]
Re: SPAM filters
[ link to this | view in chronology ]
I didn't go back. With this E. Coli outbreak, I'm glad I didn't.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
There is a reason no one has heard of it.
That's because it is made up "disease". Doesn't exist outside the head of the person who's claiming the existence of the condition.
[ link to this | view in chronology ]
Re: There is a reason no one has heard of it.
I suggest you seek medical help immediately.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Misleading headline
This isn't to defend them--this is a completely boneheaded mistake. But what it is, is bad enough that you don't need to invent other things that it isn't.
[ link to this | view in chronology ]
Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Misleading headline
you have accomplished the next selection stage!!!
we need to check some details before we send you the link to our internal hr website,
please send us your SSN via answering to this email..."
[ link to this | view in chronology ]
Re: Re: Misleading headline
To AC#1: Your analogy would work if Chipotle were leaving their systems unsecured. As far as this article portrays, though, there's no lack of security on their systems.
To AC#2: The email that was sent did not request any information, and it specifically directed that recipients not reply to it. How exactly do you think your hypothetical relates to this story?
Again, there's just no excuse for their setting up their autoresponder to reply from an address they don't own, on a domain they don't own, or have any control over. That's bad enough, and it makes them look like complete n00bz. Reveal their incompetence for what it is, but don't invent harms that haven't happened.
[ link to this | view in chronology ]
Re: Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Re: Re: Misleading headline
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Misleading headline
The point has been well made that neither Chipotle or yourself are in any position to claim, let alone prove the opposite, that no data has been exposed. They have put their job applicants personal data at risk and seemingly coudn't care less.
They should be birched for this.
[ link to this | view in chronology ]
Re: Re: Re: Misleading headline
Their mail admin should have stopped this from ever happening by saying "Boss, this is stupid as hell. People are not always brilliant and will reply to these messages. We should snatch up the domain even if all the responses die in the sender's queue, and we're going to end up in just about every major email provider's spam filter because there isn't a MX record in any DNS server for this domain and our outgoing mail would fail a SPF check. Or we could just use noreply@chipotle.com.' Two solutions that could have averted introducing additional risk. The first is configuring the outgoing email to use a legitimate domain as the sender/reply-to. The other is one annual 30$ credit card charge and an hour's worth of work.
The quote:
"The chipotlehr.com domain is not a functional address and never has been,”
-is simply not true. It wasn't functional at a point in time, but it sure as hell is now, just not for them.
Another quote:
“It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this."
-I beg to differ, but yes, there is a security risk. Also, sending an email almost guarantees soliciting a response from some percentage of recipients. They asked people to follow a link, but didn't explain why. If it didn't have operational significance, why the hell did they need to use the chipotlehr.com domain in the first place?
They sent email with a faked from address, for a domain they did not own or have permission to use for this purpose, and used it for official company communications that would almost certainly wind up with PII exposure, even if the response rate was minimal. That's a risk. It could possibly be construed as negligence. I certainly think it is in the English definition, but I'm no lawyer so I can't speak to the legal definition.
While technically their own site, that they actually operate, didn't have this risk/vulnerability, their HR business practices did introduce risk and a vulnerability for those who were attempting to communicate with their HR department. Because some dipshit at Chipotle didn't want to use noreply@chipotle.com, they opened up an easy avenue for mischief, fraud, or identity theft for potential employees.
As a final point, where in the screenshot of Krebs' email does it say "Do not reply to this message, it is an un-monitored mailbox"? It doesn't, nor anything even close, and it sure as hell doesn't tell the recipient that any replies will go to a system Chipotle doesn't own or control. Go read the article on Krebs' site and tell me that nobody was ever at risk. The person who registered the domain got a LOT of replies and information. It would have been trivial to get those applicants to give up any and all information the chipotlehr.com domain owner wanted. Those people are job hunting and would, in some cases, be quite desperate and willing to do whatever is asked.
Luckily for Chipotle it was a decent person who found this gap and filled it for them. They should be thanking this guy and (ironically) offering him a job.
[ link to this | view in chronology ]
Re: Re: Re: Re: Misleading headline
"In order to process your application, please send $100 processing fee via Western Union to our Nigerian head office.
[ link to this | view in chronology ]
Re: Misleading headline
For a clearer explanation of the issue:
Chipotle forged the "from" address on their HR notification emails (likely to prevent replies from reaching them). The forged "from" domain they chose was "chipotlehr.com" which was an unregistered domain.
This means that anyone replying to any email from these addresses will get an eventual reply back from their mail server stating that the message was undeliverable.
What the security researcher did was register the domain, for the express purpose of:
Preventing a third party from registering the domain and then pretending to be Chipotle HR by receiving all the emails from people who replied to the "do not reply" email address.
So what Chipotle was actually doing is setting up a phishing attack for anyone to take advantage of, with the added bonus for the phisher that the conversation was started between a legit Chipotle HR representative and the potential victims.
To make it clearer for Chipotle: this is the equivalent of sending out letters to all the applicants with a return address for a PO box they don't actually own.
Anything the recipients actually SEND will go to that PO box, and whoever actually owns it can do what they like with what they receive.
[ link to this | view in chronology ]
sell the domain in ebay india!!!
I am sure any young entrepreneur indian- zuckerberg can manage to get millions
just asking for an application fee
[ link to this | view in chronology ]
Re:
who would all pay a small fee for the application...
after he buys himself a couple of indian cities and politicians he will be untouchable...
[ link to this | view in chronology ]
Registry Domain ID:
Registrar WHOIS Server: whois.domaindiscover.com
Registrar URL: https://www.tierra.net
Updated Date: 2015-11-13T12:03:30Z
Creation Date: 2015-11-13T12:02:13Z
[ link to this | view in chronology ]
Re:
;chipotlehr.com. IN MX
;; ANSWER SECTION:
chipotlehr.com. 3600 IN MX 10 mx1.daemonmail.net.
chipotlehr.com. 3600 IN MX 10 mx2.daemonmail.net.
And?
But hey, this guy knows how to set up domain records. Better than many commercial entities. And rfc 2142 compliant. Someone hire him.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
So what's really been happening for the most part is HR has been firing off responses to applicants that never arrive... but Chipotle would never know, as they weren't expecting a response.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Security?
[ link to this | view in chronology ]
Occam's Razor
That doesn't appear to be the case here, so what is Chris Arnold's excuse?
[ link to this | view in chronology ]
Chipotle is one of the big restaurants in the world, and the food in chipotle is delicious. Chipotle giving $520 gift card for the customers who are participated in the latest chipotle feedback survey. For more information about chipotle survey visit this official website https://www.surveylookup.com/chipotlefeedback-com/
[ link to this | view in chronology ]