SOLVED

The 4/6 Security Patch

Go to solution
Robb_Barrett
Marketo Employee

The 4/6 Security Patch

I'm not sure I understand today's message:

Please be advised that we implemented a security patch on April 6, 2016 to strengthen token encryption in email campaign links. No action is required on your part to implement the patch.

Email campaign links sent after this date will work in the usual manner. Emails sent prior to the patch deployment that have links that are automatically shortened will also work in the usual manner.

Emails sent prior to the patch deployment that have links that are not shortened (e.g. unsubscribe links, URLs containing tokens and webinar registration URLs) and contain links with an old token will continue to function as links and track link click events. However, if these links are clicked on, form pre-fill will be automatically disabled when serving the destination landing page.

By "Email Campaign Links" you mean regular links in emails?

Which links are automatically shortened?

What are "Links with an old token"?

So, if I have an old email and I click on the link it will take me to a page with a form that's not prefilled. If I fill out the form will it associate me with the current record I have and just update it?

Robb Barrett
1 ACCEPTED SOLUTION

Accepted Solutions
Justin_Cooperm2
Level 10

Re: The 4/6 Security Patch

All links in emails:

<a href="http://www.cnn.com">click</a>

are tracked by default. This converts the link into a shortened, marketo tracking link. When a user clicks it, they are directed to a page that includes a mkt_tok "token value"

The mkt_tok is generated dynamically when a user clicks the link. However, once you reach the destination, it will have mkt_tok in it. If the user bookmared that page with an "old" mkt_tok token value, then moving forward this page will not prefill any forms (if it's a Marketo-hosted Landing Page). If they go back and click the original link in the email, it WILL work because it will re-generate a "new" mkt_tok value.

So, for a vast majority of cases, all will work as you expect. However, things like {{system.viewAsWebpageLink}} generate a link with the mkt_tok value at send time, not dynamically on click (in other words, these links are not shortened tracking links). In that case, old links will not function any longer due to this security patch. If you use Marketo's "Include View as Webpage" option in Edit Settings that is not impacted as that becomes a shortened, tracked link. Any tracked link is NOT impacted.

Does that make sense?

View solution in original post

7 REPLIES 7
Justin_Cooperm2
Level 10

Re: The 4/6 Security Patch

All links in emails:

<a href="http://www.cnn.com">click</a>

are tracked by default. This converts the link into a shortened, marketo tracking link. When a user clicks it, they are directed to a page that includes a mkt_tok "token value"

The mkt_tok is generated dynamically when a user clicks the link. However, once you reach the destination, it will have mkt_tok in it. If the user bookmared that page with an "old" mkt_tok token value, then moving forward this page will not prefill any forms (if it's a Marketo-hosted Landing Page). If they go back and click the original link in the email, it WILL work because it will re-generate a "new" mkt_tok value.

So, for a vast majority of cases, all will work as you expect. However, things like {{system.viewAsWebpageLink}} generate a link with the mkt_tok value at send time, not dynamically on click (in other words, these links are not shortened tracking links). In that case, old links will not function any longer due to this security patch. If you use Marketo's "Include View as Webpage" option in Edit Settings that is not impacted as that becomes a shortened, tracked link. Any tracked link is NOT impacted.

Does that make sense?

SanfordWhiteman
Level 10 - Community Moderator

Re: The 4/6 Security Patch

this page will not prefill any forms

Is that an elegant way of saying the lead will not be associated?  Or will that association be given a special "flavor" that doesn't allow prefill but is otherwise consistent?

Justin_Cooperm2
Level 10

Re: The 4/6 Security Patch

The page will not prefill AND the lead will not be associated. If you visit a page with an "old" mkt_tok, it is as if it isn't present. This also applies to external web pages with Munchkin embedded.

SanfordWhiteman
Level 10 - Community Moderator

Re: The 4/6 Security Patch

Yep, figured.

Dan_Stevens_
Level 10 - Champion Alumni

Re: The 4/6 Security Patch

So really this just impacts those pages that may have been bookmarked; or tokenized URLs, like "view as webpage"?

Justin_Cooperm2
Level 10

Re: The 4/6 Security Patch

I would say system tokenized URLs like {{system.viewAsWebpageLink}} or {{system.unsubscribeLink}} or {{system.forwardToFriendLink}}

If you just have

<a href="{{my.URL}}">Click</a>

or

<a href="http://www.example.com/?myvalue={{my.foo}}">Click</a>

Links like this will NOT be impacted.

Anonymous
Not applicable

Re: The 4/6 Security Patch

Thanks for the clarification on this. We got a strange request from Support about an email preview link not working and moved the content over to a new landing page. Now I understand the source cause.