Re: Google Tag Manager and Munchkin Code question

Mikes_Jones · ‎02-26-2015

So we've been having issues lately with other domains stealing our Munchkin Code. It seems as though a couple of domains had stolen our skin.js from our source code and deployed it on their website, inadvertantly taking our Munchkin Code as a result. Because of this, our analytics and reporting was all out of loop, filled with websites and data that we didnt' really care for.

So this leads me to Googel Tag Manager. The way GTM works, you use a "firing" rule to tell the tag exactly which pages to deploy the tag, in this case we could control specifically where the GTM tag is being called without having to worry about another domain stealing our code (in the future, it won't effect those who already have our code).

So I guess that leads me to my question - is this a recommended solution to prevent future domains/webmasters from snatching our Munchkin Code? We've talked to a few Marketo support specialists concerning this stolen munchkin issue but no one has been able to give us a conclusive answer. We've been suffering from broken analytics and reporting since last November and would really like to get back on track moving forward.

Thanks.

Mikes_Jones · ‎02-27-2015

Sanford also - if you could take that photo down when you get a chance, would be appreciated. Thanks

EDIT: Ah, I found it - well then, guess it doesn't matter if you take that picture down or not.

Thanks for all your input, definitely nice to learn something new.

Accidentally clicked "best answer", I didn't know it would mark the case as solved. For the record, case is not solved.

View solution in original post

SanfordWhiteman · ‎02-26-2015

Nothing can stop someone from redeploying your code. As I think I responded when you brought this up a few weeks ago, you must be allowed to redeploy your code on any number of domains without preregistering the domain with Marketo.

Using GTM is just needless, I would say useless, complexity. Your code is still publicly known once it gets inserted into the page. Maybe the fact that it's not initially in the markup would stop someone from accidentally scraping it, but not from deliberately scraping it.* If you're worried about is accidental scrapers, you might as well just wrap the Munchkin.init() call, like this:

if ( ["www.example.com","www.domainalias.com"].indexOf(document.location.host) !== -1 ) {
Munchkin.init()...
}

Also, the GTM JS is going to load very, very fast, but it can't possibly be faster than loading Munchkin on its own, since you're by definition loading another script over the network first. This is a minor consideration, though. The main consideration is that it doesn't add security.

* In fact a basic Save As, as long as the user has JS enabled, will include GTM-injected HTML. Like I said, not a security measure.

Mikes_Jones · ‎02-27-2015

Sandford,

Thanks for the breakdown!

Mikes_Jones · ‎02-27-2015

I guess my only other question is - why can't Marketo prevent this? I can't accept the answer that it's not possible, I haven't experienced people having the same issue with their Google Analytic codes getting stolen. Is Marketo just not taking all the measures to make sure this is prevented? The Munchkin is a huge component of Marketo, and to leave it vulnerable is dissapointing.

Dan_Stevens_ · ‎02-27-2015

I'd be interested in this as well. Thanks for surfacing this issue, Malik.

Anonymous · ‎02-27-2015

WOW!! I'm shocked this is happening. That has to be some kind of breach of contract for them to pull in someone elses website into your data. Whats the point of the rigourous setup procedure of providing them all the domains you are using if they can't regulate that?

SanfordWhiteman · ‎02-27-2015

A way Marketo could (partially) prevent this would be to have an advanced mode where you would have to list every single domain from which you want to accept analytics calls. This would have to include custom VisitWebPage calls as well. Would also have to be an opt-in feature for Marketo's customers or else it would break backward compatibility -- that is, people are loading legitimate Munchkin code on all their web properties (or clients' properties) , and that would all break if it were suddenly mandatory to list all the possible domains.

But that measure could only prevent accidental reuse of the code. If I maliciously wanted to clutter your analytics, even if you said you only accept analytics calls from http://www.malikz.com I could just send thousands of fake requests to Munchkin from that domain, and I wouldn't ever need to hit your real website.

Bottom line, though, is that the people who stole @Malik Z's code show no evidence of understanding what they were doing. Unless the goal was to muddle your analytics, there was no benefit to them. In reality, they hurt themselves by adding additional JS overhead on every page!

I feel that, had you wrapped your Munchkin.init() in the domain check as I showed above, they would've either left that code intact (which means they wouldn't have beeen calling Munchkin) or they would have deleted the code entirely (which also means no Munchkin). To deliberately change the domain list or exclude the check would be pretty bizarre (not impossible, I concede).

SanfordWhiteman · ‎02-27-2015

@Michael R There's isn't any such rigorous setup procedure. I can load Munchkin on any of our domain aliases. And rightfully so because we use all of those in advertising.

Certainly I can't imagine what contract is being breached as Marketo has no way of knowing that isn't just another site you operate.

Mikes_Jones · ‎02-27-2015

Also Sanford, I just re-read your comment, and to say that GTM is useless is confusing, and to suggest that it can be just as easily stolen doesn't really make sense since the whole point of GTM is the "firing" rule. So even if someone steals your GTM code, with the Marketo Munchkin code buried in it, and deploys it on their website, the actual Munchkin Code would not work becuase the "firing" rule would be set up for only your specific domain. So in this case, I feel as though using GTM could actually prevent this from happening.

Wondering if anyone from Marketo has any input on this

EDIT: This is assuming the code is stolen on accident. Of course, if someone really wants to mess with your website, I'm sure they can find a way, fortunately we aren't too worried about that.

Mikes_Jones · ‎02-27-2015

Sandford ... it doesn't really matter if the people who stole the code didn't know what they were doing, and it REALLY doesn't matter if they ended up hurting themselves. What does matter is that in the process they hurt MY analytics, causing MY reporting to be super inaccurate and having me to dig through hundreds of URLs so I could add them to a filtering list, though everyday a couple of new URLs pop up in there and it just ends up being a long cat and mouse game.

The whole concept of someone being able to swipe your Munchkin code, which is one of the most valuable aspects of Marketo, on ACCIDENT at that, is ridiculous. It completely degrades the quality of your analytics, which in my instance, is a pivotal part of my daily operation.