Google Tag Manager and Munchkin Code question

@Michael R There's isn't any such rigorous setup procedure. I can load Munchkin on any of our domain aliases.  And rightfully so because we use all of those in advertising.

Certainly I can't imagine what contract is being breached as Marketo has no way of knowing that isn't just another site you operate.

A way Marketo could (partially) prevent this would be to have an advanced mode where you would have to list every single domain from which you want to accept analytics calls.  This would have to include custom VisitWebPage calls as well. Would also have to be an opt-in feature for Marketo's customers or else it would break backward compatibility -- that is, people are loading legitimate Munchkin code on all their web properties (or clients' properties) , and that would all break if it were suddenly mandatory to list all the possible domains.

But that measure could only prevent accidental reuse of the code.  If I maliciously wanted to clutter your analytics, even if you said you only accept analytics calls from http://www.malikz.com I could just send thousands of fake requests to Munchkin from that domain, and I wouldn't ever need to hit your real website.

Bottom line, though, is that the people who stole @Malik Z's code show no evidence of understanding what they were doing.  Unless the goal was to muddle your analytics, there was no benefit to them. In reality, they hurt themselves by adding additional JS overhead on every page!  

I feel that, had you wrapped your Munchkin.init() in the domain check as I showed above, they would've either left that code intact (which means they wouldn't have beeen calling Munchkin)  or they would have deleted the code entirely (which also means no Munchkin).  To deliberately change the domain list or exclude the check would be pretty bizarre (not impossible, I concede).

WOW!! I'm shocked this is happening. That has to be some kind of breach of contract for them to pull in someone elses website into your data. Whats the point of the rigourous setup procedure of providing them all the domains you are using if they can't regulate that?

I'd be interested in this as well.  Thanks for surfacing this issue, Malik.

I guess my only other question is - why can't Marketo prevent this? I can't accept the answer that it's not possible, I haven't experienced people having the same issue with their Google Analytic codes getting stolen. Is Marketo just not taking all the measures to make sure this is prevented? The Munchkin is a huge component of Marketo, and to leave it vulnerable is dissapointing.

Sandford,

Thanks for the breakdown!

Nothing can stop someone from redeploying your code.  As I think I responded when you brought this up a few weeks ago, you must be allowed to redeploy your code on any number of domains without preregistering the domain with Marketo. 

Using GTM is just needless, I would say useless, complexity. Your code is still publicly known once it gets inserted into the page.  Maybe the fact that it's not initially in the markup would stop someone from accidentally scraping it, but not from deliberately scraping it.*  If you're worried about is accidental scrapers, you might as well just wrap the Munchkin.init() call, like this:

if ( ["www.example.com","www.domainalias.com"].indexOf(document.location.host) !== -1 ) {
    Munchkin.init()...
}

Also, the GTM JS is going to load very, very fast, but it can't possibly be faster than loading Munchkin on its own, since you're by definition loading another script over the network first.  This is a minor consideration, though. The main consideration is that it doesn't add security.

* In fact a basic Save As, as long as the user has JS enabled, will include GTM-injected HTML.  Like I said, not a security measure.