Hello All,
At the moment we're having Marketo forms on website, allowing a "Newsletter Subscription", and also contacts can visit Marketo Landing Page(LP) to complete the Unsubscribe Form to unsubscribe from these emails. The Unsubscribe form consists of "email address" field, and "Unsubscribe" marketo fiend which is hidden, type Boolean, just to be true or false. This triggers the campaign and contact Unsubscribes.
The problem is: anybody can unsubscribe anybody, just adding any email in that field, so we want to make a "Confirmation email", which should contain a button with a link to "Thank you" page, confirming that contact unsubscribed, so the campaign should run after this, which is not hard to implement.
The second problem is: this can be easily hacked, so, what security asked us to do, is generating some kind of Unique Identifier, to have it added to that "confirmation email", and after clicking the link, to also go to that "Thank you" page so we knew that this button was clicked by exactly that contact.
Questions:
If there is a possibility having a call- i'm available at 9am-6pm GMT + 2 time, or just let me know when it's comfortable for you, i'm flexible. Think the call would help better, screen sharing session is very informative usually.
Thank you.
Regards,
Alexandr
I probably don't have an answer to your specific problem, but let me add some thoughts anyway.
1. Yes, true. Anybody can unsubscribe anybody. But I've never experienced that to be real-world problem. It totally can happen, but it doesn't.
2. I find a confirmation email to confirm an unsubscribe request dubious. People don't want your emails, including this confirmation. And in addition: How can that be so easily be hacked? You need access to that email address' inbox to confirm the unsubscription, don't you? It's a common procedure for opt-ins, why shouldn't it work for opt-outs as well?
3. A solid unique ID in Marketo is the Marketo ID. {{lead.Id}}
Hello Michael,
Thank you for sharing your thoughts.
1. Our BA has some experience in Security, and he told that all these actions can be reproduced, not easily of course, but it's possible, and Generating a Unique Identifier for every contact could do the job. I'm just curious if there is something like that in Marketo.
2.For newsletter subscription we're also thinking to change thing in this direction.
3. Like i said, Marketo ID is not good because it's numbers only.
3. Like i said, Marketo ID is not good because it's numbers only.
This statement doesn't make sense. The uniqueness of an identifier has nothing to do with it being numeric or alphanumeric. An auto-incrementing integer column in a database is unique by definition.
Nevertheless there is another field in Marketo, Marketo Unique Code, which happens to use uppercase letters and numbers 0-9.
But the fact that it appears as an alphanumeric string doesn't itself make it more or less unique. A Base36 representation of an integer — like a flight confirmation code KF12OI is alphanumeric, after all. But they're exactly the same value (1234567890 = KF12OI).
Generating a Unique Identifier for every contact could do the job. I'm just curious if there is something like that in Marketo.
You do have multiple unique identifiers. But having the ID, on its own, doesn't change the logic. You also need to compare the passed identifier with the stored value in the db. This comparison can be done using a webhook.
Hi Sanford, thank you very much, may i ask you to describe how to set a webhook for this case correctly?
I understand how to send a mail to customer with a link to "Subscription Confirmation" page, and the Unique Identifier can be set as invisible. But how do i set up the Webhook? What links should be used, i believe i should have some secret keys and so on... how do i get all that data?
But how do i set up the Webhook? What links should be used, i believe i should have some secret keys and so on... how do i get all that data?
You'd need to have a webhook-compatible service that can do a simple field compare. So yes — there would be credentials necessary (X-Api-Key or Authorization header or suchlike) but they'd depend on the server setup.
There's also a way to use a specially-crafted Marketo LP as an XML service and call that as a webhook (strange as that sounds) to compare 2 strings, so everything is within Marketo. It's very obscure, though, and far from supported.
This is definitely the best practice answer. The best approach here would be to see if the theoretical problem of bot submissions to that unsubscribe form exists before you degrade the customer experience to solve it.
Many people (myself included) would find a confirmation email to unsubscribe quite unnecessary. Just like with opt-in flows, you will only get a certain percentage of people who see that email and click the confirmation. And those who don't click that confirmation will get more of your emails, and will no doubt complain and mark you as spam, doing large damage to your IP reputation.
And that's without even getting into the webhook check you are looking to perform. As Sanford has mentioned, it's possible to do, but it is a fair bit of technical work, and it seems very unnecessary.
Phil, the concern here isn't really bot submissions but malicious human hacker submissions.
There' s no doubt such a vulnerability exists, and while I agree that it's rarely been exploited in my experience, w/security vulnerabilities it's enough to say it's easy to do — it doesn't have to be seen in the wild.
But more important, you don't need a separate confirmation email if they clicked a link to get the site! Maybe that wasn't clear. Your links always include the Marketo Unique Code, and the value can be saved in a cookie. It acts much like an XSRF token: the token has to be attached to any form post or sensitive field updates are rejected. The token is something a hacker wouldn't have, so they couldn't unsubscribe someone else, even if they knew their email address.
That's why I have seen examples of unsubscribe pages where the email address is only shown as a token, but not included on the form to populate (it would be there as a hidden field of course). That way, you really ensure only the person clicking the link in the email will be able to unsubscribe.
I totally agree with all the comments here that adding MFA to an unsubscribe makes for a horrible customer experience and in some countries would actually be seen to go against privacy regulations.