Issue with Email Address in a form (Unsubscribe)

Manish_Khemani1
Level 3

Issue with Email Address in a form (Unsubscribe)

Hello Marketo Experts

Before I explain the issue Let me highlight the steps I am executing:
1. On a landing page I fill out a (Marketo) form with email address 1 and I receive an email confirming the same which has the 'Global Unsubscribe link' pointing to http://info.tcs.com/NewsletterUnsubscribe.html on email address 1
2. Now, from the same workstation & from the same landing page again, I fill up the form with email address 2 and accordingly receive the email on email address 2
3. I click on the Unsubscribe link from email I received on email address 1 and it pops-up email address 2, instead of email address 1.
Is there a way I can show the email address 1 if I click on the Unsubscribe from email of email address 1 & vice-versa?

This is required to control SPAM.

Please Guide.

Thanks,

Manish

Tags (1)
10 REPLIES 10
SanfordWhiteman
Level 10 - Community Moderator

Re: Issue with Email Address in a form (Unsubscribe)

It's not customary to want to override this behavior.

The reason this happens is simple: you've forcibly reassociated your web session with email address 2 (which is a different lead, not just a different email).

What I have to ask is why did you not actually want to change the email address of the same lead? Is it the case that multiple humans are using this form from the same workstation and browser session?

Manish_Khemani1
Level 3

Re: Issue with Email Address in a form (Unsubscribe)

Hi Stan,

Though the industry I am in will not have such a scenario but My Security Team needs to plug all loop holes that can cause a SPAM to a Lead.

Currently we do not have a Sign-in functionality on our site.

If any one downloads a white paper by entering his email address and later my CEO's email address and opts for the unsubscribe option from the Thank you mail that he received on his email id - He can actually go and unsubscribe my CEO since the cookie is holding the CEO's email address.

Hence the requirement.

SanfordWhiteman
Level 10 - Community Moderator

Re: Issue with Email Address in a form (Unsubscribe)

But the scenario you're talking about is not avoided by resetting or disabling web session association.

Anybody can unsubscribe anybody else by posting a form with their information, including the Unsubscribe field, as long as that field is not blocked from updates in the Marketo Admin UI. (And you can't block it from updates if it's on the form for the purpose of updating!) It doesn't matter if they have a cookie at all.

I think your Security Team needs a better grip on how public forms work. If you don't require a password or even a casual passcode, you're trusting (perhaps mistakenly) that the provided email address correctly identifies the interactive user. Whether the address has been previously entered in that session isn't really relevant. It only matters if it's posted along with the form.

You might instead require that a sensitive form post contain a secret code that is unique to the lead. This code can be passed in the URL and added to the form as a hidden field, so it doesn't need to be manually entered. And put a proxy field on the form instead of the real Unsubscribed field. Then, on the server, compare the secret code before performing the update to the actual field (which has form-based updates blocked but flow-based updates allowed). 

But note this arrangement means you're blocking people from unsubscribing if they don't have their secret code on hand, so they will need to request one via email. In some jurisdictions, it's illegal to create such barriers to unsubscribing (yes, even if forged unsubscribes are therefore easier). Check with your legal counsel on this.

Some people attempt to use Click Link for instant confirmation, but this is too risky now with mail scanners prefollowing links.

Manish_Khemani1
Level 3

Re: Issue with Email Address in a form (Unsubscribe)

Thanks Stan,

Will try making the Security team understand, But tell me if the following approach is right (which I came up from your reply above):

If I append the Unsubscribe link with a parameter e.g. ?emai_address={{lead.Email Address}} and on the Unsubscribe Landing page form I fill in the Email address from this parameter - This way the user will only be able to unsubscribe her /himself. What do you think of this?

SanfordWhiteman
Level 10 - Community Moderator

Re: Issue with Email Address in a form (Unsubscribe)

If I append the Unsubscribe link with a parameter e.g. ?emai_address={{lead.Email Address}} and on the Unsubscribe Landing page form I fill in the Email address from this parameter - This way the user will only be able to unsubscribe her /himself. What do you think of this?

I think that won't do any good at all.

In your scenario, the person knows the email address of the person they're trying to maliciously unsubscribe. So they can just put that email address in the URL. (And a malicious person with only the slightest bit of skill can substitute the targeted email address directly into the form without it being in the URL, I mean, the Forms API is publicly documented, you don't even have to touch the form itself.)

I'm talking about a parameter that the attacker would not know.

Manish_Khemani1
Level 3

Re: Issue with Email Address in a form (Unsubscribe)

Hi Stan,

Is there a way I can use the Leads' id as a parameter and get the Unsubscribe page to show up the email id of the Lead's id> coz that has a less chance of lead id to be known by any other lead? Just thinking aloud!

SanfordWhiteman
Level 10 - Community Moderator

Re: Issue with Email Address in a form (Unsubscribe)

That won't work. Marketo will not translate the {{Lead.Id}} to the email address. Again: it doesn't matter if the Email Address was populated onto the form automatically, now or earlier. If you have somebody's email address, you can submit the form on their behalf, starting right now.

Also consider that if the Lead ID could be used in this way, it would allow for a catastrophic non-targeted hack. I could just walk over someone's database from Lead ID 100000, 100001, 100002 erasing people's information. There are a lot more permutations of email addresses than there are incrementing 6/7-digit integers!

Manish_Khemani1
Level 3

Re: Issue with Email Address in a form (Unsubscribe)

Oh Yes Stan, Did not think of this!

You are absolutely right. Will go back to my Security team explaining them.

Thanks a bunch buddy.

Manish_Khemani1
Level 3

Re: Issue with Email Address in a form (Unsubscribe)

Hey Stan,

Just heard about the mkt_tok. Can I append the Unsubscribe link with &mkt_tok=##MKT_TOK## --> Can this help me in anyway?