Re: Activity logs and Marketo API

Liudmila_Te · ‎08-21-2018

Hello,

Our web-security team told us that added marketo forms to other web sites via scripts (embed code) is not secure and advised to use Marketo API.

While researching info about Marketo API I faced 1 problem I really hope you can help me with:

As I understood from this post Trigger Marketo Flow using REST API when you push leads info from other form to Marketo using API - the status in User Activity Log will be "Person is Pushed".

1.Can we change this log message somehow or at least track from what page user was added to Marketo (needs for marketo triggers)?

2. Does anyone have security issues with adding marketo forms as ember code?

Thanks in advance.

SanfordWhiteman · ‎08-21-2018

"Not secure" is meaningless without details.

In fact, simply switching to REST API push instead of forms immediately opens a Denial of Service vulnerability.

So they have it backwards.

Liudmila_Te · ‎08-21-2018

"Not secure" means that in embed code marketo show the marketo user id without any "masking":

SanfordWhiteman · ‎08-21-2018

Haha, what?

You can see that same public information in the Munchkin embed code (without which you can't do any web tracking).

That's like saying people can see your GTM ID in view-source. You have to be able to see information that is used in embed codes on public websites, whether for GA, Facebook, Twitter, any tracking pixel.

Liudmila_Te · ‎08-21-2018

I got it, thanks ))

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

Or we need to create some new field in marketo to add the info about page / form type (subscription, event, etc) from hidden field inside non-marketo form?

Grant_Booth · ‎08-21-2018

Some thoughts on this:
- make sure they understand that it's not really a "user ID": it does uniquely define your Marketo instance, but no one can use it to actually gain access to your data. To gain access to your data, they need to either have a login to your Marketo or have API credentials. Someone could use it to send spam data to your instance, but that's one-way: they would need more than that to pull data from your instance.
- I don't believe there's a way to customize that "Person is Pushed" activity, but if you are forced to go that route, you could try creating a custom activity to indicate that it's a form fill-out occurring. Understanding Custom Activities - Marketo Docs - Product Documentation.

I hope you can change their mind. Not being able to do a simple form post will create nightmares for you. You'll also lose Marketo's inferred data (Inferred Country, etc.) that are based on the person's IP address.

Liudmila_Te · ‎08-22-2018

Thanks a lot!

It helps.

SanfordWhiteman · ‎08-21-2018

you could try creating a custom activity to indicate that it's a form fill-out occurring

That's true. But then it would take 3 metered API calls to sort-of-approximate what forms can do in a basically unlimited fashion.

Again, it's not that there aren't some acceptable justifications for turning to the API, and even a few very good ones. But exposing the Munchkin ID isn't in either group!

Raj_Jain · ‎10-10-2018

Again, it's not that there aren't some acceptable justifications for turning to the API, and even a few very good ones. But exposing the Munchkin ID isn't in either group!

Sanford Whiteman Curious to learn more about of these acceptable justifications you mention? Which are the very good ones?

I'm wondering because I have inherited an instance which relies heavily on API...

SanfordWhiteman · ‎08-21-2018

Not being able to do a simple form post will create nightmares for you. You'll also lose Marketo's inferred data (Inferred Country, etc.) that are based on the person's IP address.

Not only that, but you have to turn off Munchkin if the Munchkin ID is really that much of a concern. And Marketo sans Munchkin approaches uselessness.

Bottom line is "leaking" the Munchkin ID -- also present in Marketo email headers, incidentally, so that's another way to obtain it -- just isn't a concern once you understand what the ID really is. It's not like an API client secret. It's like a Google Analytics web property ID, and it has to be publicly readable in order to be useful.

SanfordWhiteman · ‎08-21-2018

And what about changing activity log from "Person is Pushed" to something specific? Is it possible?

No, it is not possible.

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

When non-knowledgeable people make security suggestions, usually they lower the real security and reliability of a system.

Dmitry_Yanchenk · ‎08-21-2018

I haven't heard an informed justification for not using forms, so you should be using an embedded Marketo form to post, period.

Hi Sanford, here are some approved examples of Marketo forms abuse:

Lack of input sanitization in Marketo form leads to execution of HTML in lead emails

Stealing contact form data using Marketo Forms XSS with postMessage frame-jumping and jQuery-JSONP

Grant_Booth · ‎08-21-2018

For #1, I believe you can use this: HTML Encode Tokens in Emails - Marketo Docs - Product Documentation

SanfordWhiteman · ‎08-21-2018

Right, there's a whole blog post on HTML encoding tokens for security.

SanfordWhiteman · ‎08-21-2018

The first is equally true of an API-based update without separate sanitization. Also, sanitization should be part of the output pipeline, not input; in Marketo, it's done via the HTML encode tokens checkbox (for LPs) or Velocity (for emails). For validation (input filtering) on Marketo forms, you can use proxy fields and/or sign prevalidated requests.

The second one is fixed, so I hardly see that as current justification. You could find any number of outdated vulnerabilities for any product!

Anyway, neither has any bearing on "exposing your Munchkin ID" as a vulnerability, and I was asking about sounder justifications from the original team.