Submitted via IRC for Bytram
The '$4.4m a year' bug: Chipotle online orders swallowed by JavaScript credit-card form blunder
Chipotle Mexican Grill has been leaving money on the table, thanks to an apparent bug in the restaurant chain's e-commerce operation.
On Thursday, Jason Grigsby, co-founder of app development biz Cloud Four, published his analysis of the eatery's online order form. The webpage code, he claims, contains an error that he estimates is costing the company millions in lost sales.
While attempting to submit an order, Grigsby encountered two error messages, one indicating that the website had been unable to save his credit card number – despite having not checked the box to allow this – and the other being a general submission error.
The errors happened every time he tried to use his browser's autofill capability but not when the data was entered manually. Upon further scrutiny, he noticed that his credit card's expiration date kept being changed after the date was filled in.
Grigsby traced the problem to the way the food biz implemented the expiration date input field in its order form. The order form, built using JavaScript with the Angular framework, relies on an Angular module called ui-mask, which allows developers to limit input based on a predetermined pattern.
In this case, the ui-mask="99" attribute limits the expiration date input field to two characters, but it provides the wrong ones. "When autofill tries to enter 2023, this ui-mask only lets the first two characters be entered," explains Grigsby.
By altering the credit-card expiration date, the form returns an error and prevents the order from going through. "I assume it is the backend processor rejecting the card because the expiration year is wrong [since] it happens after form submission," he explained in an email to The Register.
(Score: 2) by theluggage on Sunday September 22 2019, @03:58PM (1 child)
...and if, in 2099, we're still using credit cards as we know it and but they have expiry dates more than 49 years in the future (well, there's bound to be some progress) then we'll only have ourselves to blame.
Back in reality, there's no problem with saving typing by having a 2-digit year when you know that any valid date is going to (a) in the future and (b) less than 50 years in the future. Which is probably why most credit cards still use 2 digit dates... and GP is right - its hard to start anticipating what an Artificial Stupidity system like autofill (which probably picked up a 4-digit expiry date from another form with a 'select year' dropdown) will try and enter - and there's no way for a form to telepathically know that '20' isn't a valid expiry date until it actually submits the card for processing.
Frankly, autofill is sometimes handy for addresses but shouldn't be touching credit card details anyway. I'm trying to think of a reason why we need to enter the expiry date for a card, esp. with the CVC serving as a double check, and the #1 reason that comes up is to remind the user to check the expiry date.
That said... a good form should try its level best to be user friendly and accept any unambiguous input (and being able to accept either "2023" or "23" for an expiry date doesn't need AI) but that's in the realms of attention to detail - something to be picked up by user testing - not a 'bug'.
(Score: 2) by FatPhil on Monday September 23 2019, @11:26AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves