US Restaurant Chain Chipotle Security Gaffe Exposes Emails

The US restaurant chain Chipotle has reportedly fallen foul of a basic corporate security practice that allowed a job applicant to read emails sent to the company.

Chipotle, like many companies, uses placeholder email addresses for messages it doesn’t want users to respond to – in this case, an address using the “chipotlehr.com” domain was used as a reply-to address in automated messages sent to job applicants.

Security lapse

However, Chipotle doesn’t and has never controlled the chipotlehr.com domain, meaning a job applicant was able to register the address and receive all emails sent to it, according to a report by security journalist Brian Krebs.

The domain was purchased by Michael Kohlman, an IT specialist currently between jobs who sent an application to Chipotle’s online careers portal in order to fulfil the terms of his unemployment benefits, Krebs reported.

Kohlman sent a response to the placeholder address, as an experiment, and his curiosity was aroused when the error message he received in response seemed to indicate that the domain had never been registered.

He registered it himself, and immediately began to receive a stream of messages sent to the address. While the chain’s automated messages to job applicants discourage them from replying to the messages, the address nevertheless received a steady flow of messages, mostly from job applicants and users seeking password assistance for the company’s online HR portal.

“In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” Kohlman said.

Sensitive data

The security implications of using such third-party domains are illustrated by companies’ use of placeholder addresses containing “donotreply.com” in messages they don’t want a response to.

In practice, as Krebs reported in The Washington Post in 2008, users often do reply to such messages, with the result that the person who happens to own that domain – in this case, Seattle videogame programmer Chet Faliszek – can read whatever is sent there.

Faliszek told Krebs at the time that he’d received sensitive information from Capital One banking customers, reports on security vulnerabilities for a New Jersey bank and reports on supplies and locations for troops in Iraq from a former subsidiary of Halliburton.

When Faliszek approached the companies involved about the security lapse presented by their use of “donotreply.com”, he met with incomprehension and was threatened by lawsuits.

In this case, Chipotle’s response was similar, denying that the address has “any operational significance”.

“There has never been a security risk of any kind associated with this… this has never been functional and is really a non-issue,” Chipotle said in a statement, adding that the address is being changed to one the company does own. The company declined an offer by Kohlman to transfer the domain into its possession free of charge.

Krebs noted that Chipotle, a $3.5 billion (£2.3bn) company, only hired its first chief information officer in October.

In February of this year the chain’s Twitter account was hacked by intruders who used it to post racist and offensive messages targeting the US government and government agencies.

Are you a security pro? Try our quiz!