Marketo Forms Security Flaw

Anonymous
Not applicable

Marketo Forms Security Flaw

Hi,

I'm trying to use Marketo Forms and have a couple of issues that Im' hoping someone may have resolved, or have a reasoning for why there are not issues:

1) If I create a simple form with First Name, Last Name and Email Address then anyone could enter anyone else's details and change the First Name/Last Name of any of our leads. There is no way of us knowing whether that was done legitimately or not. Some sort of email confirmation would perhaps be useful.

2) If a user decided to modify that form (easily done via most browsers) and adds extra fields then they can modify other information on any of the leads too (e.g. Phone Number, Job Title, Company). I would expect that when you create a form,, the server-side validation would only accept values for those fields, not any fields you decide to pass.

Please advise as currently we cannot use Marketo Forms due to those reasons, the second being the most critical.
 

Thanks,
Mark

Tags (1)
4 REPLIES 4
Anonymous
Not applicable

Re: Marketo Forms Security Flaw

Hi Mark,
you can block Field Updates under Admin -> Select a field -> Field Updates -> Block Field Updates. Does that help?

0EM50000000RujT.jpg

Best regards

Steffen
Anonymous
Not applicable

Re: Marketo Forms Security Flaw

Hi Steffen,

But that would prevent updates from ALL forms wouldn't it? I'd expect security to work per form, so that only the fields exposed in the form can be updated.
 

Thanks,
Mark

Anonymous
Not applicable

Re: Marketo Forms Security Flaw

Hi Mark,
what do you mean with "only fields exposed in the form can be updated"

Best regards

Steffen
Anonymous
Not applicable

Re: Marketo Forms Security Flaw

Form A contains fields:

First Name
Last Name
Email Address

Form B contains fields:

First Name
Last Name
Job Title
Email Address

If a user submits Form A and decides to modify the form dynamically (which is easy to do) to add a Job Title field then it should still only update First Name, Last Name and Email Address.

If a user submits Form B then Job Title should be updated as it is valid for that form.
 

Thanks,
Mark