Additional Information Regarding the April 6th Security Patch

Version 14

    As you know, Marketo issued a security patch on 4/6/16 in order to strengthen token encryption within email links. At Marketo, security is a top priority and we will continue to invest in changes that make the platform more robust.

     

    In reference to this patch, Marketo Support has been answering several common questions that are documented here for your reference. Please find this information below and, as always, contact Marketo Support if you still have any unanswered questions.

     

    Are all email links impacted by this patch?

    No, the vast majority of links within emails are not impacted in any way. By default, Marketo converts all email links to shortened tracking links. These links were not impacted by this patch. These links should continue to function as expected, regardless of when your email was sent.

     

    Note: This also applies to any links that contain the “mktNoTrack” or “mktNoTok” class. These links were also not impacted by this patch.

     

    Which links were impacted?

    The only links that were impacted were links that contain pre-generated mkt_tok values. There are three ways these type of links can be present in your email:

     

    1.  You use one of the following system tokens in your email:

    {{system.viewAsWebpageLink}}

    {{system.unsubscribeLink}}

    {{system.forwardToFriendLink}}

     

    2.  You use the “Include View as Web Page” option in the Email Editor and your Admin > Email defaults for “View as Web Page Text” explicitly includes an mkt_tok value like this:  mkt_tok=##MKT_TOK##

     

    3.  You use Marketo’s default functionality to auto-insert “Unsubscribe” footers at the bottom your emails and your Admin > Email defaults for “Unsubscribe Text” explicitly includes an mkt_tok value like this:  mkt_tok=##MKT_TOK##

     

    How will behavior change for these links?

     

    1.  System Tokens

    For emails sent out prior to 4/6/16:

      1. {{system.viewAsWebpageLink}} - Any pre-patch emails that contain {{system.viewAsWebpageLink}} links will now direct users to a page indicating that the lead-specific email cannot be rendered. Users will, however, have the option to instead see a generic view of the email (no lead tokens, dynamic content, etc.).
      2. {{system.forwardToFriendLink}} - Any pre-patch emails that contain the {{system.forwardToFriendLink}} link will no longer function. Currently, users will see an error message on click.
      3. {{system.unsubscribeLink}} – Any pre-patch emails that contain the {{system.unsubscribeLink}} link will continue to function and point users to your unsubscribe page. However, the unsubscribe form will not support prefill for this visit.
    Note: For all of the above system tokens, any emails sent out post-patch are not impacted.

     

     

    2.  View as Webpage - If you implement a “View as Webpage” experience in your emails by using Marketo defaults, selecting “Include View as Web Page” from the Email Editor, then you will see the following behavior:

      1. View as Webpage" links inserted into the HTML side of emails are not impacted. These links should continue to function as expected, regardless of when your email was sent.
      2. View as Webpage" links inserted into TEXT side will behave similarly to {{system.viewAsWebpageLink}}. For emails that were sent prior to 4/6/16, these links will direct users to a page indicating that the lead-specific email cannot be rendered. Users will have the option to instead see a generic view of the email (no lead tokens, dynamic content, etc.).
    Note: any emails sent out post-patch are not impacted.

     

    3.  “Unsubscribe” - If you implement an “Unsubscribe” experience in your emails by using Marketo’s defaults, then you still see the following behavior:

      1. Unsubscribe" links inserted into the HTML side of emails are not impacted. These links should continue to function as expected, regardless of when your email was sent.
      2. Unsubscribe" links inserted into TEXT side will behave similarly to {{system.unsubscribeLink}}. For emails that were sent prior to 4/6/16, these links will continue to function and point users to your unsubscribe page. However, the unsubscribe form will not support prefill for this visit.
    Note: any emails sent out post-patch are not impact