The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder

Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation.

On Thursday, Jason Grigsby, co-founder of app development biz Cloud Four, published his analysis of the eatery's online order form. The webpage code, he claims, contains an error that he estimates is costing the company millions in lost sales.

While attempting to submit an order, Grigsby encountered two error messages, one indicating that the website had been unable to save his credit card number - despite having not checked the box to allow this - and the other being a general submission error.

The errors happened every time he tried to use his browser's autofill capability but not when the data was entered manually. Upon further scrutiny, he noticed that his credit card's expiration date kept being changed after the date was filled in.

Grigsby traced the problem to the way the food biz implemented the expiration date input field in its order form. The order form, built using JavaScript with the Angular framework, relies on an Angular module called ui-mask, which allows developers to limit input based on a predetermined pattern.

In this case, the ui-mask="99" attribute limits the expiration date input field to two characters, but it provides the wrong ones. "When autofill tries to enter 2023, this ui-mask only lets the first two characters be entered," explains Grigsby.

By altering the credit-card expiration date, the form returns an error and prevents the order from going through. "I assume it is the backend processor rejecting the card because the expiration year is wrong [since] it happens after form submission," he explained in an email to The Register.

Based on Chipotle's publicly reported average order value of $16-$17 and assuming that fixing autofill would increase transactions by half a percentage point, Grigsby estimates that Chipotle could clear an extra $4.4m in sales annually by eliminating this bug.

Grigsby said he mentioned @ChipotleTweets in a tweet he posted about his findings but didn't bother to see if the company had a bug reporting system.

"That said, I see problems with autofill on many sites," he said. "Chipotle was just a useful example I encountered and unlike most companies, they happen to have provided some information in their financial reports that made it possible to take a guess - albeit a wild guess - at what the financial impact might be."

The Register asked Chipotle for comment, and we've not heard back. ®

Software News

Oct 15
Choo choo mothertruckers
Oct 14
You want this web tech to be independent? Sure, we'll just put it in an org we bankroll
Oct 14
RoundupApple flogs Microsoft hardware and Puppet's CTO has a... notepad.exe tattoo?
Oct 14
And a release date - sort of
Oct 14
AnalysisWhy Teams is a key product despite its frustrations - and yes, a Linux client is on the way
Oct 14
Who, Me?When 95 + (5 * RAND()) is all your spreadsheet needs
Oct 12
Perl 6 set to be reincarnated as Raku, as favored by Larry Wall