Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Question about security triggering a webhook via a form-fill-out.

Go to solution
Chris_Morris1
Level 4
Level 4
‎08-25-2022 08:52 PM
‎08-25-2022 08:52 PM

Question about security triggering a webhook via a form-fill-out.

I have a use case where I'd like to use a 'stand alone', not public-facing Marketo landing page with a form for my internal users. They need to be able to trigger individual SMS messages to specific customers.

I've built out a program where the triggger 'fills out form' calls the Twillio webhook and sends the specific SMS message. Our representatives fill in the form with the required info for Marketo to locate the person record. 

How vulnerable is my Twilio account using this method?

0 Likes
396
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎08-25-2022 09:38 PM
‎08-25-2022 09:38 PM

Re: Question about security triggering a webhook via a form-fill-out.

 

I have a use case where I'd like to use a 'stand alone', not public-facing Marketo landing page with a form for my internal users.

There’s not really any such thing as a non-public-facing Marketo LP, though using an unguessable GUID for the page name may be acceptable here.

 

How vulnerable is my Twilio account using this method?

It’s as vulnerable as the page is findable.

 

Let’s accept that the URL is unguessable. But that doesn’t mean it isn’t circulated via emails. Maybe it’s accidentally forwarded outside the company or revealed in a screenshot or screenshare. Maybe it’s pasted into an internal site and revealed to someone (also internal) who shouldn’t know about it. Or somebody disgruntled leaves the company, and even if their corporate login is turned off they can still reach the page.

 

Granted, all these concerns apply to things like Google Docs that are “editable by anyone with the URL” — something that’s pretty common these days! But if your org has rules against one they’d also want to prohibit the other.

View solution in original post

392
Reply
1 REPLY 1
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎08-25-2022 09:38 PM
‎08-25-2022 09:38 PM

Re: Question about security triggering a webhook via a form-fill-out.

 

I have a use case where I'd like to use a 'stand alone', not public-facing Marketo landing page with a form for my internal users.

There’s not really any such thing as a non-public-facing Marketo LP, though using an unguessable GUID for the page name may be acceptable here.

 

How vulnerable is my Twilio account using this method?

It’s as vulnerable as the page is findable.

 

Let’s accept that the URL is unguessable. But that doesn’t mean it isn’t circulated via emails. Maybe it’s accidentally forwarded outside the company or revealed in a screenshot or screenshare. Maybe it’s pasted into an internal site and revealed to someone (also internal) who shouldn’t know about it. Or somebody disgruntled leaves the company, and even if their corporate login is turned off they can still reach the page.

 

Granted, all these concerns apply to things like Google Docs that are “editable by anyone with the URL” — something that’s pretty common these days! But if your org has rules against one they’d also want to prohibit the other.

393
Reply
Home