My marketing team has encountered several instances of a lead clicking a link only to discover a form filled with another lead's data. Even though the info is usually nothing more than what could be gleaned from a LinkedIn profile, this is clearly undesireable as it looks like sloppy marketing (and a privacy breach.)
According to what I've learned from Marketo support, there are two ways that personal data can be passed between leads:
(1) A lead is sent a personalized link decorated with a unique key that identifies the viewer as a different lead.
a. Marketo creates custom links in emails in order to loop in tokens and other identifying data for the recipient, such that even if they are not cookied (or operating on an uncookied device) the underlying message can be personalized.
b. If a lead forwards an email with personalized links to a second individual, the first individual’s information will be retained in any underlying forms.
c. This kind of personalized link passing is almost exclusive to parties who know one another personally, often within the same company.
(2) A lead somehow inherits the cookie of another lead.
a. Local personalized information is stored on user devices via the Marketo “Munchkin” cookie, which is placed on users machines after visiting any Marketo asset. Once the lead is known to Marketo, this cookie is filled out with their information as it exists in the Marketo database.
b. If one user enters identifying information into a form on another user’s machine, the second user’s cookie will be updated with the first user’s information.
c. This is a sub-case of the personalized link scenario above, which essentially passes updates the recipient’s cookie when forwarded
Unfortunately I've also been told that the only way to prevent this is to disable form pre-fill under the Admin setting for landing pages, and this only works on the sender side, e.g. if the person's browser has pre-fill enabled, you could still get this scenario. Does anyone have a suitable workaround?
This is a limitation in Marketo but I don't see it happening too often. In most cases, it would happen only when someone forwards a marketing email to another user, and he clicks the link to a Landing Page with pre-filled info. Check out the form we implemented on one of our LPs: Grazitti Landing Page where we identify a returning user and show him a message if he is a different contact. You will have to fill out the form and then come back to main LP and refresh to see this. If user clicks that he is a different user, we reset the MKTO cookie.
Franklin, I think you're highlighting two non-issues and one real one.
Non-issue: People enter identifying info into a form on a formally shared -- or illicitly borrowed -- computer. You are not responsible for the consequences of this kind of stupidity recklessness. It's like a family or company sharing an email address and expecting magically to not see each other's stuff. The consequences go way beyond Marketo, for example sharing Amazon and GMail sessions. Don't worry about it.
Non-issue: People with form autofill turned on in their browsers. These functions exist to help people quickly fill in forms. They assume the computer is private. If people leave them turned on on a public computer, they bear responsibility for the consequences, which as above apply to every site they visit.
The Issue: People forwarding emails with personalized links. The Marketo lead is not asked to authenticate her/himself when clicking a link, hence the link constitutes a form of auto-login. If you have form prefill turned on in Marketo, you're explicitly trusting that the human that clicks the link is the lead, and thus you aren't showing them anything they don't already know about themselves. That's a feature when viewed from some angles, but a bug when viewed from others. The only way to protect against this information leak is to turn off form prefill. Simply having a "This isn't me" button obviously won't suffice because the damage is already done.
Franklin Rea this happened to us also. It happens less so with Forms 1.0. You have to disable auto-fill from the form 😕
We got the same input from Marketo support, however I think there is something else up. Now we mostly just disable our auto-fill...
hope this helps
Hi Allison,
I've seen this from time to time as well and gave up chasing it, chalking it up to 1 of Sanford's 3 explanations. I've always wondered if cached pages or server side caching could cause this. Do you use Pantheon or a service like it by chance?
Mark, a reverse proxy that is set to ignore cookies can absolutely cause a problem like this! If your proxy is forcibly caching pages that would otherwise be dynamic (and thus fetched from the origin server each time), you need to be 100.00% sure they are truly globally static pages, that is, they don't vary based on any end-user characteristics. There may be the temptation to think of "brochureware" pages as static, but as you know they can be highly personalized.
Mark Price not that I know of. But yes, I do think it's something to do with caching.. Sorry I can't be of more help.
So... I've just had a related issue raised by our GDPR Team here at Trend as a potential 'data breach' case. I guess it was just a matter of time...
Whatever the reason that the mkt_tok is being included in the LP URL - whether it is forwarded, posted incorrectly by a partner, whatever - surely there must be a way to strip the mkt_tok element out of the URL when someone lands on the page? Wouldn't that solve the problem? The form wouldn't prefill with the details passed in by the 'inbound' mkt_tok then, right?
If this is even possible, how would it impact the cookie stored on the real user's machine (the one that we want to use to prefill the form)?
Would really appreciate help on this one... as the guy who 'owns' Marketo, I feel like I'm on the uncomfortable side of the shooting gallery at the moment!
surely there must be a way to strip the mkt_tok element out of the URL when someone lands on the page?
You can strip the mkt_tok from the query string using JS and redirect or refresh the page immediately. But I fail to see how that eliminates the data breach concern, since someone can just skip over the JS if they want (for example, if you open the page in view-source, you'll see the Pre-Fill field values and you won't be redirected).
But if you don't want the mkt_tok you can already turn it off completely using the class "mktNoTok" on your links.
We had the same issue on a mass scale with sensative information.
An email was sent to many staff which linked to a form page (with form fields to collect staff personal data).
The email was sent to a group email address that redirected the email to many staff individual address.
The result was chaos with staff seeing each others personal data.
To fix the issue (quickly thanks to this thread) we turned of the "pre fill" default option on each individual form field.