Question about security triggering a webhook via a form-fill-out.

Question

I have a use case where I'd like to use a 'stand alone', not public-facing Marketo landing page with a form for my internal users. They need to be able to trigger individual SMS messages to specific customers.
I've built out a program where the triggger 'fills out form' calls the Twillio webhook and sends the specific SMS message. Our representatives fill in the form with the required info for Marketo to locate the person record. 
How vulnerable is my Twilio account using this method?

SanfordWhiteman · Accepted Answer

I have a use case where I'd like to use a 'stand alone', not public-facing Marketo landing page with a form for my internal users.

There’s not really any such thing as a non-public-facing Marketo LP, though using an unguessable GUID for the page name may be acceptable here.

How vulnerable is my Twilio account using this method?

It’s as vulnerable as the page is findable.

Let’s accept that the URL is unguessable. But that doesn’t mean it isn’t circulated via emails. Maybe it’s accidentally forwarded outside the company or revealed in a screenshot or screenshare. Maybe it’s pasted into an internal site and revealed to someone (also internal) who shouldn’t know about it. Or somebody disgruntled leaves the company, and even if their corporate login is turned off they can still reach the page.

Granted, all these concerns apply to things like Google Docs that are “editable by anyone with the URL” — something that’s pretty common these days! But if your org has rules against one they’d also want to prohibit the other.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded