This article is more than 1 year old

The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder

Taco titan's e-ordering fails when browser autofill takes over

Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation.

On Thursday, Jason Grigsby, co-founder of app development biz Cloud Four, published his analysis of the eatery's online order form. The webpage code, he claims, contains an error that he estimates is costing the company millions in lost sales.

While attempting to submit an order, Grigsby encountered two error messages, one indicating that the website had been unable to save his credit card number – despite having not checked the box to allow this – and the other being a general submission error.

The errors happened every time he tried to use his browser's autofill capability but not when the data was entered manually. Upon further scrutiny, he noticed that his credit card's expiration date kept being changed after the date was filled in.

Grigsby traced the problem to the way the food biz implemented the expiration date input field in its order form. The order form, built using JavaScript with the Angular framework, relies on an Angular module called ui-mask, which allows developers to limit input based on a predetermined pattern.

In this case, the ui-mask="99" attribute limits the expiration date input field to two characters, but it provides the wrong ones. "When autofill tries to enter 2023, this ui-mask only lets the first two characters be entered," explains Grigsby.

Finding bugs in code

They say software will eat the world. Here are some software bugs that took a stab at it


By altering the credit-card expiration date, the form returns an error and prevents the order from going through. "I assume it is the backend processor rejecting the card because the expiration year is wrong [since] it happens after form submission," he explained in an email to The Register.

Based on Chipotle's publicly reported average order value of $16-$17 and assuming that fixing autofill would increase transactions by half a percentage point, Grigsby estimates that Chipotle could clear an extra $4.4m in sales annually by eliminating this bug.

Grigsby said he mentioned @ChipotleTweets in a tweet he posted about his findings but didn't bother to see if the company had a bug reporting system.

"That said, I see problems with autofill on many sites," he said. "Chipotle was just a useful example I encountered and unlike most companies, they happen to have provided some information in their financial reports that made it possible to take a guess – albeit a wild guess – at what the financial impact might be."

The Register asked Chipotle for comment, and we've not heard back. ®


Similar topics


Send us news

Other stories you might like