Re: Progressive Profiling/Form Prefill on Embedded form

Justin_Cooperm2 · ‎04-08-2016

Anonymous · ‎04-08-2016

I'm also interested in what you learned, but I can't see a place to PM you from here.

SanfordWhiteman · ‎04-08-2016

We have to be following each other. tl;dr I found a bug and a ticket is open. The feature is broken at present.

Anonymous · ‎07-18-2016

Delivering Exceptional Skype for Business Quality of Experience | Exinda -> Click this link, Marketo Form#1 will appear with 4 input fields. If you submit this page and come back again, MKTO + Cookies will have your info and Form#2 will load. You submit that and come back again, No Form (Form#3) will load and I've captured all the required info from you I've used API calls to populate your missing info.

Its working for us! Thanks all sharing ideas

-Syed

SanfordWhiteman · ‎07-18-2016

... except you've introduced a DoS vulnerability by consuming an API call in response to individual end-user actions.

You've also created a wildcard CORS endpoint through which any third-party site can gather data on your leads just by knowing an email address.

I have major misgivings about this approach.

Anonymous · ‎07-19-2016

Yes, agreed with DoS attack. But for now, we are not even close to our 10k daily limit.

Not sure about CORS, can you explain?

Also, waiting for your blog

SanfordWhiteman · ‎07-19-2016

Yes, agreed with DoS attack. But for now, we are not even close to our 10k daily limit.

But it'll take an elementary hacker a half-hour to break everything. That's too risky for my environments.

Not sure about CORS, can you explain?

You've created an endpoint that would allow me to retrieve data from your Marketo instance from any other site on the web. I'd only need to have the email address of a lead. Such a vulnerability exists whenever you use prefill, but it is not typically possible from the browser on other sites. The fact that I can access your data from any other domain means you can't block malicious use by IP, since it could come from anywhere: a hacker could induce unwitting leads to, in effect, hack themselves.

Anonymous · ‎12-08-2017

Hi Sanford Whiteman,

So just to recap all this thread, progressive profiling does work for embedded forms for all form fields (standard and custom) by using this processes http://developers.marketo.com/blog/external-page-prefill/ ?

Thanks.

SanfordWhiteman · ‎12-08-2017

No, it does not.

The process described should never be used by a professional organization. It leaves your instance open to a trivial Denial of Service attack and while it may work in the "lab" is not fit for the real world.

Dan_Stevens_ · ‎12-08-2017

It should also be noted that "progressive profiling" works for embedded forms out-of-the-box. PP is different than "form prefill"