SOLVED

Security problems with Preferences Center

Go to solution
Highlighted

Re: Security problems with Preferences Center

Hi Raul,

We use Mkt_tok URL parameter that is added by Marketo to links in emails. this parameter contains an encrypted unique identifier of the email addressee. Therefore, when the person clicks the email the LP get that information and identifies the person and retrieves the data from the database. This overrides the munchkin cookie that might exist on the browser.

-Greg

Highlighted
Anonymous
Not applicable

Re: Security problems with Preferences Center

Hi Greg,

I asked you that because I previsoly sunimted a form with someone else email, then sent a samle email to myself and when I clicked in the link, it had the mkt_tok but the prepopulated email wasn't the one related to the email but the last submited form. I think it might be a problmen with the email since it was just a sample not a real one...

Thank you!

Highlighted

Re: Security problems with Preferences Center

Yes, there is no mkt_tok on samples, so the cookie is used to pre-populate the fields.

-Greg

Highlighted
Anonymous
Not applicable

Re: Security problems with Preferences Center

Hi Greg,

Last question (I hope), does the mkt_tok parameter come in the URL always?

I need to update every single email so all our Unsubscribe links come with that parameter, but on the Email Templates is hard to know since it is html code.

Regards,

Raúl

Highlighted
Level 10 - Community Moderator

Re: Security problems with Preferences Center

As long as the link doesn't have class="mktNoTok" or class="mktNoTrack" -- and, if emitted from a Velocity script, that it is a full-formed <a> tag -- it's be mkt_tok-enized.

Highlighted
Level 10 - Community Moderator

Re: Security problems with Preferences Center

How are you injecting Javascript to the form? I would like to prevent the access using JS and allowing only from email's link.

Note you can't actually prevent people from posting the form using arbitrary data, as I mentioned above. Protection you add via JS isn't really protection at all -- except from people who are technically malicious, yet completely technically unskilled. Not a very large cohort.

This is not to say it won't help higher-ups feel better, just like JS-based field validation, but it doesn't quite rise to the level of "security."

Highlighted

Re: Security problems with Preferences Center

I learn a lot from these posts! Thank you all for taking the time to explain the details.