Re: Google Tag Manager and Munchkin Code question

That''s not what happens.  They scrape your website's HTML.   That has your Munchkin code not "buried" in it but right there in the markup, injected by GTM before your enemies scrape the site.

GTM firing rules determine what tags will appear in the final markup of your page.  The act of stealing your page occurs after GTM fires.

P.S. The same approach is used by embedded Forms 2.0.  They can go on any website.  And this "decontrol" is, in the end, a good thing.  Because based on what I know about Marketo users, they are focused on Marketing and Marketing Ops, but not Web Ops.  I know it may seem like a stretch to call this an IT matter, but in my experience Mktg folks expect things like domain aliases to "just work": they buy the domain, IT sets up the host header on the webserver, and away they go. Having to maintain a domain list in Marketo as well could be seen as cumbersome, regardless of the security benefits.  Of course this same laziness applies to IT folks (I know this, being one) but we don't really have an excuse, while a Mktg person can legitimately say, "That's too much and not my job."

Sandford ... it doesn't really matter if the people who stole the code didn't know what they were doing, and it REALLY doesn't matter if they ended up hurting themselves. What does matter is that in the process they hurt MY analytics, causing MY reporting to be super inaccurate and having me to dig through hundreds of URLs so I could add them to a filtering list, though everyday a couple of new URLs pop up in there and it just ends up being a long cat and mouse game.

The whole concept of someone being able to swipe your Munchkin code, which is one of the most valuable aspects of Marketo, on ACCIDENT at that, is ridiculous. It completely degrades the quality of your analytics, which in my instance, is a pivotal part of my daily operation.

Also Sanford, I just re-read your comment, and to say that GTM is useless is confusing, and to suggest that it can be just as easily stolen doesn't really make sense since the whole point of GTM is the "firing" rule. So even if someone steals your GTM code, with the Marketo Munchkin code buried in it, and deploys it on their website, the actual Munchkin Code would not work becuase the "firing" rule would be set up for only your specific domain. So in this case, I feel as though using GTM could actually prevent this from happening.

Wondering if anyone from Marketo has any input on this

EDIT: This is assuming the code is stolen on accident. Of course, if someone really wants to mess with your website, I'm sure they can find a way, fortunately we aren't too worried about that.

@Michael R There's isn't any such rigorous setup procedure. I can load Munchkin on any of our domain aliases.  And rightfully so because we use all of those in advertising.

Certainly I can't imagine what contract is being breached as Marketo has no way of knowing that isn't just another site you operate.

A way Marketo could (partially) prevent this would be to have an advanced mode where you would have to list every single domain from which you want to accept analytics calls.  This would have to include custom VisitWebPage calls as well. Would also have to be an opt-in feature for Marketo's customers or else it would break backward compatibility -- that is, people are loading legitimate Munchkin code on all their web properties (or clients' properties) , and that would all break if it were suddenly mandatory to list all the possible domains.

But that measure could only prevent accidental reuse of the code.  If I maliciously wanted to clutter your analytics, even if you said you only accept analytics calls from http://www.malikz.com I could just send thousands of fake requests to Munchkin from that domain, and I wouldn't ever need to hit your real website.

Bottom line, though, is that the people who stole @Malik Z's code show no evidence of understanding what they were doing.  Unless the goal was to muddle your analytics, there was no benefit to them. In reality, they hurt themselves by adding additional JS overhead on every page!  

I feel that, had you wrapped your Munchkin.init() in the domain check as I showed above, they would've either left that code intact (which means they wouldn't have beeen calling Munchkin)  or they would have deleted the code entirely (which also means no Munchkin).  To deliberately change the domain list or exclude the check would be pretty bizarre (not impossible, I concede).

I'd be interested in this as well.  Thanks for surfacing this issue, Malik.

I guess my only other question is - why can't Marketo prevent this? I can't accept the answer that it's not possible, I haven't experienced people having the same issue with their Google Analytic codes getting stolen. Is Marketo just not taking all the measures to make sure this is prevented? The Munchkin is a huge component of Marketo, and to leave it vulnerable is dissapointing.

Sandford,

Thanks for the breakdown!

Nothing can stop someone from redeploying your code.  As I think I responded when you brought this up a few weeks ago, you must be allowed to redeploy your code on any number of domains without preregistering the domain with Marketo. 

Using GTM is just needless, I would say useless, complexity. Your code is still publicly known once it gets inserted into the page.  Maybe the fact that it's not initially in the markup would stop someone from accidentally scraping it, but not from deliberately scraping it.*  If you're worried about is accidental scrapers, you might as well just wrap the Munchkin.init() call, like this:

if ( ["www.example.com","www.domainalias.com"].indexOf(document.location.host) !== -1 ) {
    Munchkin.init()...
}

Also, the GTM JS is going to load very, very fast, but it can't possibly be faster than loading Munchkin on its own, since you're by definition loading another script over the network first.  This is a minor consideration, though. The main consideration is that it doesn't add security.

* In fact a basic Save As, as long as the user has JS enabled, will include GTM-injected HTML.  Like I said, not a security measure.