nation.marketo.com is now an open, unauthenticated web proxy. Don't do this!

nation.marketo.com is now an open, unauthenticated web proxy. Don't do this!

When Marketo Nation became publicly accessible last month, something pretty bad came along with that otherwise positive move: phishers can now use the Nation in attacks, by bouncing off /external-link.jsp (http​://nation.marketo.com/external-link.jspa?url={{my malicious link here}}). This was possible in the past as well, but only if someone was logged into the Nation, which reduced the attack surface considerably.

By coincidence (well, maybe not, given the state of the world) I was just working on a blog post about a major firewall/VPN platform that has the same vulnerability.

The solution is that Jive must only redirect to URLs that were originally entered by authenticated users. Let's not be part of the problem!

P.S. If anyone wonders why those pesky mail scanners that mess with click tracking are necessary, this is why!

6 Comments
SanfordWhiteman
Level 10 - Community Moderator
Janet_Dulsky
Marketo Employee

Sanford Whiteman​, thanks for the information. I will pass it along to Jive and let you know what they say. I would hate to have the Marketing Nation be a contributor to phishing.

Thanks, again.

Janet

Janet_Dulsky
Marketo Employee

Sanford Whiteman​, here's the answer from Jive:

"We don't limit redirect URLs to authenticated users. But we do have security measures in place to address this concern:

  • Warn users that they are leaving Jive when they click on external link in content
  • Delay the redirect to external links so users are made aware that they are leaving the instance"

I have made the above changes to our system to help mitigate harm if a phishing attack is perpetuated in Community. However, please note that you have to be logged in to create content (including a link) in Community. That hasn't changed with the opening of the Community. The opening only allows non-customers/partners/employees to view content. So, to your earlier point, the requirement to be logged in to create a link reduces the attack surface considerably.

Thanks for helping to keep our Community members safe.

Janet

SanfordWhiteman
Level 10 - Community Moderator

Hi Janet,

Thanks for looking into it.

the requirement to be logged in to create a link reduces the attack surface considerably.

Anyone can create a redirector link without being logged in. You can't add the link to a post if you don't have a login, but that's not the issue.

For example, open an Incognito window and go to

     http​s://nation.marketo.com/external-link.jspa?url=http%3A%2F%2Fwww.example.com%2F%3Fmalicious

You'll see that you're redirected to the malicious site without doing anything else, and that link doesn't exist in an Idea or Discussion.

If Jive were still protected by login, then you'd be prompted to log in (if you weren't already) before.  Now, with Jive unprotected, even someone who doesn't use Marketo can be the victim of the attack, and someone who doesn't use Marketo can be the perpetrator of the attack.  Jive can be weaponized without anyone needing to log in.

It's a real vulnerability, and it's unacceptable for an enterprise platform like Jive to not acknowledge it.

Janet_Dulsky
Marketo Employee

Sanford Whiteman, thanks for helping me understand the issue more clearly. It's very helpful. I will continue to work with Jive.

kh-lschutte
Community Manager
Status changed to: Open Ideas