back to article The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder

Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation. On Thursday, Jason Grigsby, co-founder of app development biz Cloud Four, published his analysis of the eatery's online order form. The webpage code, he claims, contains an error that he …

  1. J27 Bronze badge

    This isn't a problem with Chipotle's web site. It's an issue with the autofill program not entering the right information. Credit cards only have two year digits on them, it's silly to enter 4 digits. Autofill programs fail all the time, it's not the site dev's problem.

    Additionally, the idea that they're losing 0.5% of orders die to this comes directly from the "bug" finder's posterior. He sounds like a real idiot.

    1. Andy Tunnah

      Why the 'tude my dude ?

      It's a problem for both the website AND the autofill system. The autofill system should detect that it's a 2 character limit and therefore put in the last 2.

      And I think the number is a good one. The amount of times I've been ordering unnecessary stuff, and the slight roadblock makes me cancel the whole thing. From big bags of biltong from prime, to just random crap on ebay. That minor setback is a great test to see if you actually want it enough to..ergh..check out the order manually.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why the 'tude my dude ?

        Who cares what you think? you have no way of knowing how many sales were lost. How many people use the exact same faulty auto-fill software as this guy?

        1. Pascal Monett Silver badge

          Re: How many people use the exact same faulty auto-fill software as this guy?

          Why ? What version did you install ?

          Since you're so much smarter than the rest of us, please point us to where we can download a proper autofill patch.

      2. Anonymous Coward
        Anonymous Coward

        Re: Why the 'tude my dude ?

        You are correct in stating it is a problem for both the dev and auto fill. But there are many problems with auto fill; it breaks many sites due to filling incorrect fields. I have even seen it put passwords in open display and corrupt hidden fields. The Auto fill developers have also decided to ignore the standard *do not use auto fill on this page/form/control" attributes, making it very difficult to predict what will happen on each minor release of a browser.

      3. Warm Braw Silver badge

        Re: Why the 'tude my dude ?

        It's a problem for both the website AND the autofill system

        It's a problem for the website operator, because the website does not function correctly under all circumstances.

        It's a problem caused by the fact that the browser (that does the autofill) sees only the limited HTML semantics of the input fields and has no knowledge of the extended validation being done in JavaScript. The HTML 5 validation extensions aren't good enough of themselves to sufficiently inform the autofill mechanism how to behave. It's never going to be possible to make it work perfectly with the current schizophrenic model of a web page on the one hand as static data and on the other as a self-modifying program.

        From a privacy and security perspective, I prefer to have both autofill and JavaScript turned off and it surprising how many e-commerce sites break without JavaScript, but I suspect the number of potential customers affected is probably negligible...

      4. ZenCoder

        Re: Why the 'tude my dude ?

        Yeah if I need to struggle to order something ... I often won't. Plus as a programmer I know how ridiculously easy it is to accept input in a variety of formats. There is really no excuse for inconveniencing a customer.

    2. richard?

      Wow, could you have put more incorrect statements into one comment?

      It is a problem with their website if they are losing orders. The customer may not always be right, but losing an order through a technical problem is always wrong.

      Credit cards do frequently have four digit years, and if the site asks for "year" it is perfectly reasonable to put in four digits.

      Autofill programs may fail, but it is the dev's problem since that's the platform they're working on. And it's a perfectly testable scenario, so no excuses it's just poor coding.

      If you've ever looked at any research on loss of capture through UX issues you would know that the percentages lost can be staggering, even at payment stage. You do not want to give people time to get pissed off, think about if they really want it, or look at the total price again.

      1. veti Silver badge

        It's kinda crazy that they even allow a user type in a year, rather than selecting from a drop-down menu.

        Typing is bad, m'kay?

        Of course sometimes it can't be helped, but a "year" field - particularly when there's only likely to be a selection of four or so to choose from - is not one.

        1. A.P. Veening Silver badge

          For a limited selection you are more or less right, but every time I have to "fill in" my birth date by selection, it takes me about a minute (three fields with the correct option never in the top five and one not even in the top 50) while typing it in will take me something like two seconds for eight digits and two tabs (or two separator characters if is all in one field), even less with auto advance.

      2. jmch Silver badge

        "Credit cards do frequently have four digit years"

        a) Over 4 countries where I have been resident, 6 or 7 banks and 3 different credit card providers, I have yet to see a credit card, or indeed debit card, that uses 4 digit years

        b) While I understand that with card validity going at most a few years it's not THAT much of an issue with understandibility, surely following Y2K all the underlying systems actually work with 4 digits.

        I completely fail to see why ANY credit card should have 2-digit and not 4-digit expiry, let alone all of them

      3. overunder Bronze badge

        Y10K IS COMING!!

        "...if the site asks for "year" it is perfectly reasonable to put in four digits."

        Great, just 4? It's Y2K all over again on December 31, 9999.

        And what's with all the hate for Roman's? Why can't I enter MMXIX? So much hate...

      4. NotBob
        FAIL

        If you've ever looked at any research on loss of capture through UX issues you would know that the percentages lost can be staggering, even at payment stage. You do not want to give people time to get pissed off, think about if they really want it, or look at the total price again.

        Doesn't mean there's any basis for the assumption. You'd have to guesstimate the number of folks with autofill, the number of them that have the autofill improperly storing a 4 digit year, and the number of them lazy enough to give up on the order because of it. The number is pretty much guaranteed to have been made up, just like 87% of statistics in news articles.

    3. Esme

      It's also silly that the entire world doesn't use the entirely logical big-endian date format, but nevertheless, I do sometimes find myself having to mentally convert the date I need to enter into one or other of the other weird forms that some bits of the world insist on.

      Or in other words, just 'cause I or you think something is silly, that doesn't mean that everyone else will agree! (The USA date format comes close to creating mental meltdown in me, but hey, I don't encounter it very often, so I'm tolerant of their foibles!) ;-}

      1. jmch Silver badge

        "The USA date format comes close to creating mental meltdown in me"

        Most definitely this. I prefer 'big-endian' and accept 'little-endian' but mixing them up and which way is simply nuts

    4. juice Silver badge

      > This isn't a problem with Chipotle's web site. It's an issue with the autofill program not entering the right information. Credit cards only have two year digits on them, it's silly to enter 4 digits. Autofill programs fail all the time, it's not the site dev's problem.

      This is very much a problem with Chipotle's website, and a failure of their QA processes. Taking credit card payments should be a solved problem by now, not least because the ability to take monies from customers is fundamental to any business.

      > Additionally, the idea that they're losing 0.5% of orders die to this comes directly from the "bug" finder's posterior. He sounds like a real idiot.

      Do you even UI, bro?

      Unless it's something they really need (e.g. concert tickets), people rarely have any patience when it comes to using ordering systems; if there's too many steps or any technical issues, they're highly likely to give up or switch to an alternative provider. This is why Amazon, Ebay and many other companies do their best to offer integrations and/or one-click solutions.

      As to his guesstimate? The main question is around how many people use autofill for their credit card details, since they'll all be affected by this issue. Then, you need to figure out how many of them would recognise that they need to set a two-digit year - and further to that, how many would then be willing to dig the credit card out of their purse/wallet to retrieve the necessary information.

      At a glance, I can't spot any stats for autofill usage, but assuming 25% of people store their card details, it's not unreasonable to assume that a measurable percentage of them (e.g. 4%, or one in twenty) would either give up at the first hurdle or decide that they couldn't be bothered to retrieve their piece of magic plastic...

      1. TrumpSlurp the Troll Silver badge

        25% of people autofill credit card details?

        I always decline the kind offer for the browser to store the CC details.

        It just seems like too much information for the browser to hold.

        I assume that those who do autofill do not include the 3 digit security code (much as frequently used websites can store everything but) but these days who knows?

        1. jmch Silver badge

          Re: 25% of people autofill credit card details?

          "I always decline the kind offer for the browser to store the CC details."

          Not to mention the websites who want to store your CC details.

          "I assume that those who do autofill do not include the 3 digit security code"

          Theoretically this shouldn't be stored either by the browser autofill nor by any of the websites that facilitate transactions (eg your Google account) nor the merchants' websites, but as you say, who knows? It's being sent on the form on every online transaction so in theory is available to store for all of the above.

        2. juice Silver badge

          Re: 25% of people autofill credit card details?

          > 25% of people autofill credit card details?

          To be fair, it was a Wild Ass Guess[*], since I couldn't find any stats after a quick websearch.

          Certainly, I personally refuse to let Google or any other company store my card details, partly for security and partly because it helps to reduce the number of "oh look a shiny *click*" incidents which tend to occur otherwise.

          However, I'm technically-aware enough to be paranoid about such things. The vast majority of people online these days are not as tech-savvy and in general, convenience tends to trump security. So while 25% seemed like a reasonable low-ball guesstimate, I wouldn't be surprised if the actual number was significantly higher!

          [*] As in, pulled out of my^H thin air...

      2. Anonymous Coward
        Anonymous Coward

        @juice: Sorry, I downvoted your post only because you used the very wankerish term "bro", even though I agreed with the rest of it...

        1. juice Silver badge

          > Sorry, I downvoted your post only because you used the very wankerish term "bro", even though I agreed with the rest of it...

          Guilty as charged. Though in my defence, I will say that it was a deliberately mocking (ab)use of a meme ("bro, do you even lift") - using such things is a habit of mine, when I encounter something which is either a troll or utterly ridiculous...

      3. NotBob

        If 25% store their credit card details in autofill, and 4% would decide it's not worth the bother, you're still ignoring the ones for whom autofill works as expected and inputs the correct data. I can pull a similar number from nowhere, but even if it's 50%, the result is significantly off of what this "researcher" estimated.

        1. juice Silver badge

          > If 25% store their credit card details in autofill, and 4% would decide it's not worth the bother, you're still ignoring the ones for whom autofill works as expected and inputs the correct data. I can pull a similar number from nowhere, but even if it's 50%, the result is significantly off of what this "researcher" estimated.

          Fairly sure you've entirely missed the point here, and possibly not even read the article. But I'm feeling nice, so I'll quote the relevant paragraph here:

          "Based on Chipotle's publicly reported average order value of $16-$17 and assuming that fixing autofill would increase transactions by half a percentage point, Grigsby estimates that Chipotle could clear an extra $4.4m in sales annually by eliminating this bug"

          The question isn't around how many people successfully navigate the process. Instead, it's about how many give up when they hit this stumbling block.

          If only half a percent of their customer base (aka: one in two hundred, alternative-measurement-scale fans) hit this problem and walk away, that's the equivalent of $4.4 million to Chipotle's bottom line.

          To be fair, this suggests their overall revenue is around $880 million, and at that point, the odd million here or there perhaps isn't that much of an issue - though I'd love to find even a fraction of this sitting down the back of the sofa!

          However, it's also money they can effectively get for free - after all, the cost of getting a fix through dev/QA is unlikely to be more than a few thousand dollars...

    5. Sgt_Oddball Silver badge
      Headmaster

      Except...

      No customer facing system should ever be relied upon to complete validation. A backend system should ALWAYS check first before approving the payment, otherwise its open season for hackers.

      If their system just takes a payment success flag from the front end only, then they've only got themselves to blame.

      1. Brewster's Angle Grinder Silver badge

        RTFA

        "If their system just takes a payment success flag from the front end only, then they've only got themselves to blame."

        It's made clear in the article that the back-end is validating the payment. The problem is the front-end rewriting valid data so that the back-end rejects it. The bug reporter then goes on to speculate about how much this has cost them in lost sales.

    6. A.P. Veening Silver badge

      Additionally, the idea that they're losing 0.5% of orders die to this comes directly from the "bug" finder's posterior. He sounds like a real idiot.

      You are correct, he is a real idiot as the real number is a lot closer to and probably over 1%.

    7. Anonymous Coward
      Anonymous Coward

      Erm

      It's really irrelevant if the auto fill software is at fault, if you are developing for a large customer-facing organization it's your job to work around quirks and faults whether you like it or not.

      And yes, there is so much competition in this space that 0.5% is probably quite conservative if anything. Even at 0.05% it's worth finding a workaround.

      I work for a smallish company in a niche market and we make a fair %age of our sales just by making it very easy for customers to order when our competitors are still in the stone age using phones and faxes.

    8. the hatter

      The customer is always right. The customer who can't order is even worse. There's a lot of lazy input forms, and in this particular instance, there are (afaik) exactly 4 possibly years that any current card can be expiring in. Is it too complicated for it to recognise '2019' and '19' as the same, across all 4 values, at least as far as client-side input ? You can do stricter validation server-side if it really matters, and in this case you get an extremely hard validation when you submit the payment request, if the customer has entered something really sneaky around your validation steps.

      Similarly, forms which reject spaces in card or phone numbers, and double-beatings for those that have a specific error 'spaces not allowed in card/phone number' You clearly know exactly what I mean and why I'm typing it, it is both common and understandable why the customer has typed them, so do the trivial work to deal with them.

  2. Anonymous Coward
    Anonymous Coward

    That's funny, mine has 4.

    1. Anonymous Coward
      Anonymous Coward

      Mine goes to 11

      1. seven of five
        Joke

        That is not eleven, no matter what she tells you.

  3. Winkypop Silver badge
    Trollface

    Ordering food online via credit card, eh?

    The kids today.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ordering food online via credit card, eh?

      Not food, Chipotle.

      It's sort of like an enema...

      1. Anonymous Coward
        Anonymous Coward

        Re: Ordering food online via credit card, eh?

        It's sort of like an enema...

        The sort of enema that mandates the pre-emptive placing of toilet paper in the fridge overnight.

        1. chivo243 Silver badge
          Pint

          Re: Ordering food online via credit card, eh?

          There are thousands of locally owned Mexican restaurants (with much better food) all across the states, last summer I ate at one in Minnesota! Why in hell would you eat at a bland, homogenized place like Chipotle? However, if Chipotle gives you the shits, maybe you should disregard my advice...

          Beer to put out the ring of fire!

          1. Oneman2Many

            Re: Ordering food online via credit card, eh?

            Why do people eat at McDonalds or BK or Prezzo or any other chain ? Because they know what they are getting. My mrs ate there a few times on a recent visit to San Diego even though pretty much every other restaurant was Mexican.

            1. LDS Silver badge

              'Because they know what they are getting'

              That's exactly the reason I avoid them...

            2. Anonymous Coward
              Anonymous Coward

              Re: Ordering food online via credit card, eh?

              "My mrs ate there a few times on a recent visit to San Diego"

              It's not so much the bland taste as the "medical issues".

              No rectal bleeding? https://southpark.fandom.com/wiki/Dead_Celebrities

              I realise this is questionable humour, but after experiencing multiple Mexican restaurants across multiple states, my one visit to Chipotle wasn't a highlight or something I would recommend.

  4. simonlb Silver badge
    Joke

    The Register asked Chipotle for comment, and we've not heard back

    Was that via an autofill form perhaps? Just asking.

  5. Dr_N Silver badge
    Mushroom

    "The Register asked Chipotle for comment, and we've not heard back."

    Maybe they think you are giving them a ring for some sort of (journalistic) sting?

  6. sbt Silver badge
    Boffin

    Developed in 2017?

    Back when most expiry dates on cards were 2020 and you'd get the right answer for the wrong reason?

  7. petef

    I have often wondered how many autofills populate hidden fields in addition to the visible ones.

  8. Anonymous Coward
    Anonymous Coward

    Maybe it's Javascript saving us from digestive distress

    Remember, you can't spell "Chipotle" without e coli.

  9. gnasher729 Silver badge

    An iPhone can automatically create and remember really safe passwords for websites; I suppose other phones can do that as well.

    My wife uses a website that asks for say the 2nd, 5th an 8th character of the password. Autofill then puts the _whole_ password into the field for the first character, from which it can't be deleted anymore, so she is stuck. Quite separate from the fact that you don't _know_ these passwords; the whole point is that the phone does it for you, so it can use a password that is too complicated to remember.

  10. JimmyPage Silver badge
    FAIL

    Once again, roll-your-own code turns out to be flaky

    Who'd have thought it ?

    Of course a lot a less good sites simply try and disable autofill - and autofill helpers like password managers. Which is a real shit if you are relying on them for accessibility assistance. Like my wife.

  11. zaax

    Its not only Chipotle

    I have abandoned quite a few transactions with various companies because of a fault in the ordering system. Maybe Maplin would have survived if there ordering system worked all the time

  12. Captain Scarlet Silver badge
    Mushroom

    Saved Card Details

    NO

    I hate anything offering to save card details, bugger off.

  13. SecretSonOfHG

    So much web development ignorance here

    Astonished by how many people blame the Chipotle devs. This is first and foremost a problem triggered when one web site uses a form field with the same name as some other form elsewhere that the user has already previosuly completed. "Elsewhere" means anywhere in the entire internet. No amount of coding on the client side can prevent autocomplete from inserting what it thinks should be there. If anyone is to blame here is the browser developers who do not honor the "do not autocomplete" DOM attributes.

    True, there are things the Chipotle devs can do to at leats mitigate that, like using aonother name for the field (note that flagging to autocomplete that it should not mess with the field may result in these same "usability experts" complaining about having to type the CC expiry year all the time!) And they should do whatever it takes to streamline the customer experience. But definitely they should not get so much blame as the comments imply.

  14. dnicholas Bronze badge

    Extrapolation

    Yay for pulling numbers out of thin air. Not enough of this these days

  15. STOP_FORTH
    WTF?

    Gobsmacked

    Do I take it that testing of auto-completion and input validation are no longer a thing?

    The Web is doomed, I tell 'ee.

  16. LeahroyNake Silver badge

    Sounds like

    'The Register asked Chipotle for comment, and we've not heard back. ®'

    You misspelled Apple. Or any other large business that you continually manage to piss off by telling the truth. That end line gets funnier every time I see it :)

  17. Anonymous Coward
    Anonymous Coward

    hey Chipotle

    Taco Bell took my credit card with no problems, then so did Walgreens when I went in after Pepto Bismol

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019