Re: Google Tag Manager and Munchkin Code question

Mikes_Jones · ‎02-26-2015

So we've been having issues lately with other domains stealing our Munchkin Code. It seems as though a couple of domains had stolen our skin.js from our source code and deployed it on their website, inadvertantly taking our Munchkin Code as a result. Because of this, our analytics and reporting was all out of loop, filled with websites and data that we didnt' really care for.

So this leads me to Googel Tag Manager. The way GTM works, you use a "firing" rule to tell the tag exactly which pages to deploy the tag, in this case we could control specifically where the GTM tag is being called without having to worry about another domain stealing our code (in the future, it won't effect those who already have our code).

So I guess that leads me to my question - is this a recommended solution to prevent future domains/webmasters from snatching our Munchkin Code? We've talked to a few Marketo support specialists concerning this stolen munchkin issue but no one has been able to give us a conclusive answer. We've been suffering from broken analytics and reporting since last November and would really like to get back on track moving forward.

Thanks.

Mikes_Jones · ‎02-27-2015

Sanford also - if you could take that photo down when you get a chance, would be appreciated. Thanks

EDIT: Ah, I found it - well then, guess it doesn't matter if you take that picture down or not.

Thanks for all your input, definitely nice to learn something new.

Accidentally clicked "best answer", I didn't know it would mark the case as solved. For the record, case is not solved.

View solution in original post

Anonymous · ‎07-02-2015

Hi All,

After submitting a similar question to support and being told this isn't currently possible. I have added a suggestion to add a functionality that would allow us to A) run a report of all the websites our munchkin appears on and B) have some kind of way to clean up or stop tracking from places where the use is unauthorized.

Please vote it up so we can get this added to the roadmap.

Mikes_Jones · ‎07-02-2015

Thanks Jana Lass for adding the suggestion - I will definitely upvote it and hope it gains from traction, would definitely help with reliable data!

Anonymous · ‎07-02-2015

If you have any other members of your team with Marketo access that could help vote it up, feel free to pass it around. I am trying to get it up voted as quickly as possible as this has been a huge issue for us as well.

Mikes_Jones · ‎07-02-2015

Yep, already had one other team member upvote it, will continue to pass it around.

Anonymous · ‎08-16-2018

Me to, as customer new to Marketo, but searching forums for others using GTM to deploy the munchkin code. I also voted for the enhancement on

BTW, any update on this issue or other way to address/mitigate the risk?

SanfordWhiteman · ‎08-16-2018

BTW, any update on this issue or other way to address/mitigate the risk?

Can't imagine anyone charged with assessing risk would actually care about this.

Anyone can forge Google Analytics hits, Munchkin hits, Looker hits, whatever without visiting your pages (and without actually cribbing your HTML). That's the nature of web analytics.

Mikes_Jones · ‎02-27-2015

I will pass that information on to our web team, again, thanks a bunch.

SanfordWhiteman · ‎02-27-2015

@Malik Z I'd recommend that you add something like JavaScript wrapper that I posted. I'll point it out to our own web team as well. Even better, wrap it in a function called something like reportStolenHTML(){}. I think 99% of copycats would delete that entire section if they saw that.

Mikes_Jones · ‎02-27-2015

Sanford also - if you could take that photo down when you get a chance, would be appreciated. Thanks

EDIT: Ah, I found it - well then, guess it doesn't matter if you take that picture down or not.

Thanks for all your input, definitely nice to learn something new.

Accidentally clicked "best answer", I didn't know it would mark the case as solved. For the record, case is not solved.

SanfordWhiteman · ‎02-27-2015

@Malik Z I found the code by checking Web Inspector in Chrome (EDIT: yes, on your special test page) -- and you'll see it if you Save the page as well.

When you save a page, you get the full markup as it looked when you hit Save, rather than the static markup that first comes from the server. To be honest it wasn't any harder. I don't think a dedicated copycat is using View Source, they're saving the page, maybe via a special spidering tool instead of a browser.

I think we are ultimately on the same side here. The feature should exist. It's just that I am less surprised than you and @Michael R, since I know that Marketo's ease-of-use (such as it is!) is aided by not mandating that users add filters.

Mikes_Jones · ‎02-27-2015

Thanks for the input Sanford, not sure how you found that code, but then again I'm not as technical as you are. Though, I think we can both agree, that using GTM makes it a little bit harder to take the code - but there's no doubt in my mind that a motivated individual could definitely find it if they wanted too.

Hope Marketo fixes/addresses this one day 😉

EDIT: Also, just to be clear, I do realize the munchkin code is being deployed on our main page - I was only using the LP as an example - but if you were able to find the munchkin code in the Landing Page that I posted, then yes, pretty cool.

SanfordWhiteman · ‎02-27-2015

And when I scrape the page, I see this. Your Munchkin code.

Look, I'm not trying to get into a contest. The reality is that the unwanted hits would have to be discarded by Marketo's servers, which means in turn there needs to be a UI to enter all your domains. I agree this feature should be added, but at the same time I'm not shocked that there was no filtering before, because I know there was no place to enter the filter.

Mikes_Jones · ‎02-27-2015

Sanford

The following template has Munchkin DISABLED, the Munchkin Code is being pulled in soley through Google Tag Manager.

http://pages.r2integrated.com/TEST_TEST_munchkin.html

Now, I checked the page source and could not locate any instances to the munchkin code, only the Google Tag code. Thoughts?

SanfordWhiteman · ‎02-27-2015

Add Munchkin via GTM. That is what you should be testing. (GTM has a special plugin for GA, which means that is not an appropriate testbed.)

Technical rule: any elements injected into your markup can be scraped. It's just a fact of browser life.

Mikes_Jones · ‎02-27-2015

Sanford, can you please elloborate on the GTM code and whether it's in teh markup or not?

Here is our website: www.r2integrated.com

When you view the page source, you will see a GTM tag. Within that tag is a Google Analytics tag, but you won't see that in the markup of the page source ... unless it's there, and I just don't see it. Let me know if you can find it 🙂

SanfordWhiteman · ‎02-27-2015

I feel like we told them the domains we had in the beginning. I thought it was just for this purpose. I could be wrong, this is my tenth instance or so I've touched.

You probably are thinking of branding domains, landing page domains, or setting up SPF/DKIM for sending domains. Those are all different issues.

I feel like I lied to so many people about saying Munchkin is secure.. They should know as they should be logging this in their backend no? I mean its like Malik is saying, lets just leave the front door open and see who walks in there.

I don't understand the concept of a public analytics tracking code being "secure." I'm an IT guy and that's not an expression I would use. As noted above, GA is just as, shall we say, insecure by default... what you should be requesting is the option to filter, not that everything be prefiltered. It should be obvious by now that a marketing company managing potentially thousands of client domains has not entered those domains into the Marketo interface, since there is no place to put them.

SanfordWhiteman · ‎02-27-2015

Within the above code will contain your Munchkin Code, but it's not actually visible on the site's HTML markup, therefore it keeps your code secure and out of harms way.

This is not true, but I'm not going to belabor the point with you if you won't test.

SanfordWhiteman · ‎02-27-2015

The whole concept of someone being able to swipe your Munchkin code, which is one of the most valuable aspects of Marketo, on ACCIDENT at that, is ridiculous. It completely degrades the quality of your analytics, which in my instance, is a pivotal part of my daily operation.

It's a pivotal part of everybody's operation! I understand that you're upset, but I don't think this completely degrades the quality of your analytics, provided you apply appropriate filters when reporting. Then again, I'm not saying Marketo shouldn't add the ability to pre-filter, I'm just saying they shouldn't go back in time and force everyone to enter a filter. Google Analytics, for example, allows you to apply a filter, but by default there is no filter -- thus just as vulnerable as Marketo.

Anonymous · ‎02-27-2015

Rigourous = detailed I guess 🙂

I feel like we told them the domains we had in the beginning. I thought it was just for this purpose. I could be wrong, this is my tenth instance or so I've touched.

I feel like I lied to so many people about saying Munchkin is secure.. They should know as they should be logging this in their backend no? I mean its like Malik is saying, lets just leave the front door open and see who walks in there.

Mikes_Jones · ‎02-27-2015

Sandford, I'm not sure if you've ever used GTM before, but the code is infact buried within a universal GTM tag. So in the source of your website, you'll just see a tag that looks something like this:


<noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-EXAMPLE"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-EXAMPLE');</script>


Within the above code will contain your Munchkin Code, but it's not actually visible on the site's HTML markup, therefore it keeps your code secure and out of harms way.