Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar
SOLVED

Security problems with Preferences Center

Go to solution
Grégoire_Miche2
Level 10
Level 10
‎05-31-2018 02:31 PM
‎05-31-2018 02:31 PM

Re: Security problems with Preferences Center

Hi Raul,

We use Mkt_tok URL parameter that is added by Marketo to links in emails. this parameter contains an encrypted unique identifier of the email addressee. Therefore, when the person clicks the email the LP get that information and identifies the person and retrieves the data from the database. This overrides the munchkin cookie that might exist on the browser.

-Greg

1,685
Reply
Anonymous
Not applicable
‎06-01-2018 07:38 AM
‎06-01-2018 07:38 AM

Re: Security problems with Preferences Center

Hi Greg,

I asked you that because I previsoly sunimted a form with someone else email, then sent a samle email to myself and when I clicked in the link, it had the mkt_tok but the prepopulated email wasn't the one related to the email but the last submited form. I think it might be a problmen with the email since it was just a sample not a real one...

Thank you!

0 Likes
1,685
Reply
Grégoire_Miche2
Level 10
Level 10
‎06-01-2018 09:42 AM
‎06-01-2018 09:42 AM

Re: Security problems with Preferences Center

Yes, there is no mkt_tok on samples, so the cookie is used to pre-populate the fields.

-Greg

1,685
Reply
Anonymous
Not applicable
‎06-01-2018 12:41 PM
‎06-01-2018 12:41 PM

Re: Security problems with Preferences Center

Hi Greg,

Last question (I hope), does the mkt_tok parameter come in the URL always?

I need to update every single email so all our Unsubscribe links come with that parameter, but on the Email Templates is hard to know since it is html code.

Regards,

Raúl

0 Likes
1,685
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎06-01-2018 01:12 PM
‎06-01-2018 01:12 PM

Re: Security problems with Preferences Center

As long as the link doesn't have class="mktNoTok" or class="mktNoTrack" -- and, if emitted from a Velocity script, that it is a full-formed <a> tag -- it's be mkt_tok-enized.

1,685
Reply
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎05-25-2018 01:19 AM
‎05-25-2018 01:19 AM

Re: Security problems with Preferences Center

How are you injecting Javascript to the form? I would like to prevent the access using JS and allowing only from email's link.

Note you can't actually prevent people from posting the form using arbitrary data, as I mentioned above. Protection you add via JS isn't really protection at all -- except from people who are technically malicious, yet completely technically unskilled. Not a very large cohort.

This is not to say it won't help higher-ups feel better, just like JS-based field validation, but it doesn't quite rise to the level of "security."

1,685
Reply
Shannon_Kelly1
Level 4
Level 4
‎05-31-2018 02:24 PM
‎05-31-2018 02:24 PM

Re: Security problems with Preferences Center

I learn a lot from these posts! Thank you all for taking the time to explain the details.

1,685
Reply
Home