Re: Security problems with Preferences Center

How are you injecting Javascript to the form? I would like to prevent the access using JS and allowing only from email's link.

Note you can't actually prevent people from posting the form using arbitrary data, as I mentioned above. Protection you add via JS isn't really protection at all -- except from people who are technically malicious, yet completely technically unskilled. Not a very large cohort.

This is not to say it won't help higher-ups feel better, just like JS-based field validation, but it doesn't quite rise to the level of "security."

There are various ways, but all of the will require at least some modification to the LP template.

Are you familiar with form 2.0 API ?

read this: Best way to add a script in a guided landing page

-Greg

Marketo will automatically add the Mkt_tok parameter as soon as you make the linjk traceable in the email. It does not need more. From the mkt_tok, Marketo will be able to identifiy the person and retrieve the data from the database without any cookie.

-Greg

You can't.

The only thing that distinguishes a legit mkt_tok-enized link from a fake mkt_tok-enized link is whether, in the absence of an associated cookie, the link succeeds in pre-filling fields.

+1 on this, and this how we secure Preference centers:

• We remove the cookie on page entry on the PC page, before the munchkin is ran. No data can be extracted from the database if the Mkt_tok is not present
• If no Mkt_tok is present in the URL, we redirect to an identification page on page entry. That identification page is a no traced page with a form on which the only field is the email address. The visitor enters his email address and receives an email with a link to the PC page (with an Mkt_tok in it).
• After the page is entered and the form is loaded, we check whether an email address has been retrieved from the Mkt_tok. If not, we redirect to the identification page
• and we look the email field so that the person cannot change the email address (although a hacked could easily override this one)

In fact, we rely on how Marketo has encrypted the Mtk_tok to identify the person.

It does not cover the case of email forwarding, though. we have not found a way to cover this case. Hoping people will not forward emails to people they do not know (This is wishful thinking, obviously but it should not happen so often).

-Greg

Hi Raul,

We do not. If some one new want to enter the database and access the preference center and indicate his preferences, that's OK, since the preference center is an opt-in form.

-Greg

We all feel your pain Preferences Centers are generally discussed as easy to setup but once you start digging in there is a lot to take into account and consider even without all of the new GDPR requirements. I complete agree with Stanford and Grégoire both helped with questions as I was going through this process, one thing we did was split out our Preferences Center into different functional areas that all work together.

The public subscription page, accessible on our website. The only trick we used here was to clear the cookie value on the form submission so that data is entered without being tied to an existing cookie ID. This is only able to add to new and update existing subscription, not remove any details. This uses a double opt-in, so unless you confirm your selection by clicking a link in the confirmation email everything changes back after 24 hours.

Manage your subscriptions page, only accessible from an email link. This clears any cookies before being loaded and uses only the data provided through the Marketo URL string to pre-populate contact details and existing subscriptions. This can both add and remove contact details and subscriptions. This also uses a double opt-in for any new subscription added.

Unsubscribe page, again only accessible from an email link. This also clears any cookies before being loaded and uses only the data provided through the Marketo URL string to pre-populate contact details and existing subscriptions. This can remove individual newsletter subscription or all newsletter subscriptions. No confirmation needed, but you are only able to unsubscribe the person that the email was sent to, that you clicked over from.

...and because we have a number of different business units each with there own version of the above pages we also have a "Global Unsubscribe" page, only accessible from the individual unsubscribe page that removes you from everything across the whole organization. This also only uses the Marketo URL string to pre-populate contact details. which means you are only able to unsubscribe the person that the email was sent to, that you clicked over from.

Hi Raul,

We use Mkt_tok URL parameter that is added by Marketo to links in emails. this parameter contains an encrypted unique identifier of the email addressee. Therefore, when the person clicks the email the LP get that information and identifies the person and retrieves the data from the database. This overrides the munchkin cookie that might exist on the browser.

-Greg

Yes, there is no mkt_tok on samples, so the cookie is used to pre-populate the fields.

-Greg

As long as the link doesn't have class="mktNoTok" or class="mktNoTrack" -- and, if emitted from a Velocity script, that it is a full-formed <a> tag -- it's be mkt_tok-enized.

We remove the cookie on page entry on the PC page, before the munchkin is ran. No data can be extracted from the database if the Mkt_tok is not present

That's not exactly so. You have to remove the cookie ​and refresh the page without the cookie​ in order for the database record to not be loaded. The cookie has already been transmitted to Marketo during the HTTP request, and the Pre-Fill block injected into the HTML, by the time the page is drawn into the browser.  Deleting the cookie at that point after the page is drawn doesn't make the Pre-Fill info go away.

Thx for this precision. Will do so.

-Greg