Chipotle Exposes Private Data By Sending HR E-mails Via Unowned Domain, Doesn't See The Problem

from the utterly-oblivious dept

Fri, Nov 20th 2015 8:16am — Karl Bode

Chipotle has been making headlines lately for all the wrong reasons. While justifiably lauded for its efforts at embracing more sustainable agriculture, the restaurant is currently in the aftermath of a massive E. Coli outbreak in Washington and Oregon that resulted in dozens of illnesses and hospitalizations. And while the CDC's ongoing investigation of that outbreak is grabbing most of the public's attention, the company's quietly been caught up in another, less noticed snafu involving a total lack of fundamental, security common sense.

Apparently, Chipotle’s human resources department has been replying to new job applicants using the "chipotlehr.com" domain. The problem? This is a domain that the company neither owns nor controls, meaning that anybody could nab it for themselves and, with minimal effort, begin harvesting applicant data while posing as Chipotle. While the messages sent to applicants from this domain urge them not to respond to the e-mail, the fact that an unowned domain is being used for communications still remains obviously problematic:

Noticing this potentially major problem, a security researcher named Michael Kohlman (applying to apparently maintain unemployment benefits while between gigs) grabbed the domain for $30. He then reached out to Chipotle to explain the potential liability of the company's sloppy security and offer the company the domain, for free. Chipotle's response? Utter and total denial that there was any problem whatsoever:

"Kohlman has since offered to freely give over the domain to the restaurant chain. But Chipotle expressed zero interest in acquiring the free domain. In fact, Chipotle’s spokesman Chris Arnold says the company doesn’t see this as a big deal at all.

"The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in an emailed statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”

That's a $3.5 billion company showing it has zero understanding of security. At all. The fact that it lacked "operational significance" is totally irrelevant. All a hacker would need to do is register the domain, begin replying to recipients, and direct them to even a crude facsimile of a real Chipotle website. From there, it would have been trivial to farm applicants for all manner of personal data, including addresses, phone numbers, and social security numbers. The proper response from Chipotle to somebody highlighting this and offering the domain for free? Thank you.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: email, hr, security
Companies: chipotle

38 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

That One Guy (profile), 20 Nov 2015 @ 7:44am

Small silver lining
They may be idiots when it comes to security, but give them at least some credit, when informed about a glaring potential problem, they at least didn't try and sue the one who pointed it out to them.
[ link to this | view in thread ]
DannyB (profile), 20 Nov 2015 @ 8:21am

Re: Small silver lining
Exactly what I was going to point out.

At least they didn't sick the lawyers. Yet.

But now that they have egg on their face, and are exposed as incompetent fools, that lawyers may yet be unleashed.
[ link to this | view in thread ]
beech, 20 Nov 2015 @ 8:24am

no problem?
So who am i to believe about a websites security practices? A security researcher or someone employed by the company to make them look good no matter what?

And if sending emails on an unsecured domain is perfectly fine and mo problem, why did they bother to change it?!
[ link to this | view in thread ]
Stephen, 20 Nov 2015 @ 8:45am

SPAM filters
I'm actually surprised the emails went through. The email already has a lot of marketing speak and then you add no valid dns records. It really looks like SPAM or a phishing attempt.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 8:46am

Re: Re: Small silver lining
They better wash that egg off their face ASAP, or else they might be risking a salmonella outbreak as well.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 8:46am

Re: Re: Small silver lining
> they have egg on their face

Nonsense. Eggs aren't on the major ingredient list at Chipotle.

Clearly, they have refried beans on their face.
[ link to this | view in thread ]
Berenerd (profile), 20 Nov 2015 @ 8:53am

Re: SPAM filters
They probably have on the site a notice about checking spam filters.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 8:54am

Re: Re: Re: Small silver lining
They would have guac on their face, but that costs extra.
[ link to this | view in thread ]
Mason Wheeler (profile), 20 Nov 2015 @ 9:04am

When I lived in Washington, I went to a Chipotle once. I found it to be very, very similar to the less-famous Qdoba, but with one significant difference: Chipotle is a victim of "Mexican restaurant disease." If you haven't heard of it, this is a mental condition known to frequently affect people who run Mexican restaurants, which causes them to think everything should be extremely hot (as in spicy, not temperature) and to treat picante as an acceptable substitute for flavor. Qdoba did not have that problem.

I didn't go back. With this E. Coli outbreak, I'm glad I didn't.
[ link to this | view in thread ]
alternatives(), 20 Nov 2015 @ 9:10am

There is a reason no one has heard of it.
Chipotle is a victim of "Mexican restaurant disease." If you haven't heard of it,

That's because it is made up "disease". Doesn't exist outside the head of the person who's claiming the existence of the condition.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:10am

Never ate there, never will.
[ link to this | view in thread ]
Dan (profile), 20 Nov 2015 @ 9:22am

Misleading headline
Your headline says "Chipotle exposes private data"--how, precisely, does Chipotle do this? You've described a hypothetical scenario, which so far as you know (or at least, so far as you've said) hasn't actually happened, in which a job applicant might inadvertently expose their private data to a malicious third party. But so far as you've described, Chipotle hasn't exposed anything to anybody. Could you clarify, or fix your headline?

This isn't to defend them--this is a completely boneheaded mistake. But what it is, is bad enough that you don't need to invent other things that it isn't.
[ link to this | view in thread ]
Dan (profile), 20 Nov 2015 @ 9:26am

Re:
I agree that Chipotle is very similar to Qdoba (and Moe's, for that matter), both of which I prefer over Chipotle if given the option. But I've eaten at a lot of Mexican restaurants, and I don't recall any where I had trouble finding a dish that wasn't uncomfortably spicy. Maybe you've been eating at the wrong restaurants.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:35am

Re: Misleading headline
If I leave my house empty, unlocked and unguarded, have I not exposed it to potential thieves, regardless of if any thieves actually take advantage?
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:35am

since this will NEVER reach mainstream news...

sell the domain in ebay india!!!

I am sure any young entrepreneur indian- zuckerberg can manage to get millions
just asking for an application fee
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:39am

Re: Misleading headline
"congratulations, Mr XYZ
you have accomplished the next selection stage!!!
we need to check some details before we send you the link to our internal hr website,
please send us your SSN via answering to this email..."
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:42am

Re:
US is plenty of unemployed applicants,
who would all pay a small fee for the application...
after he buys himself a couple of indian cities and politicians he will be untouchable...
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 9:57am

Domain Name: CHIPOTLEHR.COM
Registry Domain ID:
Registrar WHOIS Server: whois.domaindiscover.com
Registrar URL: https://www.tierra.net
Updated Date: 2015-11-13T12:03:30Z
Creation Date: 2015-11-13T12:02:13Z
[ link to this | view in thread ]
Dan (profile), 20 Nov 2015 @ 10:13am

Re: Re: Misleading headline
The analogy presented by AC#1, and the hypothetical presented by AC#2, are both completely off-base.

To AC#1: Your analogy would work if Chipotle were leaving their systems unsecured. As far as this article portrays, though, there's no lack of security on their systems.

To AC#2: The email that was sent did not request any information, and it specifically directed that recipients not reply to it. How exactly do you think your hypothetical relates to this story?

Again, there's just no excuse for their setting up their autoresponder to reply from an address they don't own, on a domain they don't own, or have any control over. That's bad enough, and it makes them look like complete n00bz. Reveal their incompetence for what it is, but don't invent harms that haven't happened.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 10:38am

Good luck hiring someone who can fix the problem, any admin that knows their stuff wouldn't respond to an email from that domain.
[ link to this | view in thread ]
Michael, 20 Nov 2015 @ 10:44am

Re: Re: Re: Re: Small silver lining
The don't eat at Chipotle because of the e. coli.
[ link to this | view in thread ]
Michael, 20 Nov 2015 @ 10:47am

Re: There is a reason no one has heard of it.
You appear to be suffering from the "claiming real diseases are made up diseases" disease.

I suggest you seek medical help immediately.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 10:51am

Re: Re: Re: Misleading headline
There is a lack of security in their method. You're being obtuse.
[ link to this | view in thread ]
Blackfiredragon13 (profile), 20 Nov 2015 @ 11:07am

Re: Small silver lining
It's sad that's something we can look at as a silver lining.
[ link to this | view in thread ]
David Dowdle (profile), 20 Nov 2015 @ 11:17am

Couldn't the person that now owns the domain put up an SPF record different than the email server that Chipotle is using and cause their emails to be rejected by many spam filters?
[ link to this | view in thread ]
Dan (profile), 20 Nov 2015 @ 11:17am

Re: Re: Re: Re: Misleading headline
You're making an orthogonal point. Yes, their (former) method is poorly thought out. Yes, it could result (mind you, "could result" is not the same as "has resulted") in other people (i.e., not them) sending private information to malicious third parties. But that's not what the article claims. The article--specifically, the headline--claims, "Chipotle exposes private data". That claim, at least as applied to the rest of the article, is false--Chipotle has exposed no data at all. The worst that can be said is that they've created a risk that someone else will expose private data.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 11:32am

Re: Misleading headline
True... reading everything presented here, I would have come to a completely misled conclusion about what's happening if I didn't actually work in this field.

For a clearer explanation of the issue:

Chipotle forged the "from" address on their HR notification emails (likely to prevent replies from reaching them). The forged "from" domain they chose was "chipotlehr.com" which was an unregistered domain.

This means that anyone replying to any email from these addresses will get an eventual reply back from their mail server stating that the message was undeliverable.

What the security researcher did was register the domain, for the express purpose of:

Preventing a third party from registering the domain and then pretending to be Chipotle HR by receiving all the emails from people who replied to the "do not reply" email address.

So what Chipotle was actually doing is setting up a phishing attack for anyone to take advantage of, with the added bonus for the phisher that the conversation was started between a legit Chipotle HR representative and the potential victims.

To make it clearer for Chipotle: this is the equivalent of sending out letters to all the applicants with a return address for a PO box they don't actually own.

Anything the recipients actually SEND will go to that PO box, and whoever actually owns it can do what they like with what they receive.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 11:34am

Re: Re: Re: Misleading headline
How many replies do you think noreply@everydomain.ever get? A lot.

Their mail admin should have stopped this from ever happening by saying "Boss, this is stupid as hell. People are not always brilliant and will reply to these messages. We should snatch up the domain even if all the responses die in the sender's queue, and we're going to end up in just about every major email provider's spam filter because there isn't a MX record in any DNS server for this domain and our outgoing mail would fail a SPF check. Or we could just use noreply@chipotle.com.' Two solutions that could have averted introducing additional risk. The first is configuring the outgoing email to use a legitimate domain as the sender/reply-to. The other is one annual 30$ credit card charge and an hour's worth of work.

The quote:
"The chipotlehr.com domain is not a functional address and never has been,”
-is simply not true. It wasn't functional at a point in time, but it sure as hell is now, just not for them.

Another quote:
“It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this."
-I beg to differ, but yes, there is a security risk. Also, sending an email almost guarantees soliciting a response from some percentage of recipients. They asked people to follow a link, but didn't explain why. If it didn't have operational significance, why the hell did they need to use the chipotlehr.com domain in the first place?

They sent email with a faked from address, for a domain they did not own or have permission to use for this purpose, and used it for official company communications that would almost certainly wind up with PII exposure, even if the response rate was minimal. That's a risk. It could possibly be construed as negligence. I certainly think it is in the English definition, but I'm no lawyer so I can't speak to the legal definition.

While technically their own site, that they actually operate, didn't have this risk/vulnerability, their HR business practices did introduce risk and a vulnerability for those who were attempting to communicate with their HR department. Because some dipshit at Chipotle didn't want to use noreply@chipotle.com, they opened up an easy avenue for mischief, fraud, or identity theft for potential employees.

As a final point, where in the screenshot of Krebs' email does it say "Do not reply to this message, it is an un-monitored mailbox"? It doesn't, nor anything even close, and it sure as hell doesn't tell the recipient that any replies will go to a system Chipotle doesn't own or control. Go read the article on Krebs' site and tell me that nobody was ever at risk. The person who registered the domain got a LOT of replies and information. It would have been trivial to get those applicants to give up any and all information the chipotlehr.com domain owner wanted. Those people are job hunting and would, in some cases, be quite desperate and willing to do whatever is asked.

Luckily for Chipotle it was a decent person who found this gap and filled it for them. They should be thanking this guy and (ironically) offering him a job.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 11:37am

Re:
yup. But most spam filters will reject emails with forged from headers anyway.

So what's really been happening for the most part is HR has been firing off responses to applicants that never arrive... but Chipotle would never know, as they weren't expecting a response.
[ link to this | view in thread ]
David Dowdle (profile), 20 Nov 2015 @ 12:08pm

Re: Re:
My understanding is that spam filters can only know it's forged if the domain has an SPF record on it with authorized mail servers. That's not the case here.
[ link to this | view in thread ]
orbitalinsertion (profile), 20 Nov 2015 @ 12:39pm

Re:
;; QUESTION SECTION:
;chipotlehr.com. IN MX

;; ANSWER SECTION:
chipotlehr.com. 3600 IN MX 10 mx1.daemonmail.net.
chipotlehr.com. 3600 IN MX 10 mx2.daemonmail.net.

And?

But hey, this guy knows how to set up domain records. Better than many commercial entities. And rfc 2142 compliant. Someone hire him.
[ link to this | view in thread ]
orbitalinsertion (profile), 20 Nov 2015 @ 12:40pm

Security?
They don't understand the internet.
[ link to this | view in thread ]
Anonymous Coward, 20 Nov 2015 @ 6:52pm

Re: Re: Misleading headline
I would say Techdirt is exposed right now. Same goes for every other site that is online.
[ link to this | view in thread ]
Anonymous Coward, 21 Nov 2015 @ 8:10am

Occam's Razor
When I saw a headline indicating that somebody had made a incomprehensibly bad business decision, my first instinct was to go an image search for the person's name to see if they looked like a diversity hire.

That doesn't appear to be the case here, so what is Chris Arnold's excuse?
[ link to this | view in thread ]
Klaus, 21 Nov 2015 @ 9:20am

Re: Re: Re: Re: Re: Misleading headline
And neither is "could" the same as "hasn't".

The point has been well made that neither Chipotle or yourself are in any position to claim, let alone prove the opposite, that no data has been exposed. They have put their job applicants personal data at risk and seemingly coudn't care less.

They should be birched for this.
[ link to this | view in thread ]
Klaus, 21 Nov 2015 @ 9:29am

Re: Re: Re: Re: Misleading headline
+1 Your comment about job seekers being desperate is esp. valid

"In order to process your application, please send $100 processing fee via Western Union to our Nigerian head office.
[ link to this | view in thread ]
Anonymous Coward, 23 Nov 2015 @ 7:21am

Re: Re: Re: Re: Re: Small silver lining
I only eat there if the e. coli is sustainably sourced.
[ link to this | view in thread ]
Anonymous Coward, 15 May 2019 @ 2:19am

Chipotle is one of the big restaurants in the world, and the food in chipotle is delicious. Chipotle giving $520 gift card for the customers who are participated in the latest chipotle feedback survey. For more information about chipotle survey visit this official website https://www.surveylookup.com/chipotlefeedback-com/
[ link to this | view in thread ]