Email Tracking URL Security Enhancement

OK, so redirector hashes didn't actually have an owning instance before. That's a lot simpler of an explanation!

Of course there are plenty of other ways for a malicious Marketo user to disrupt other Marketo users, but it's good to have this one out of the way.

Unless I am mistaken (somebody, please correct me!), the vulnerability just allowed any existing hashes to be used on the end of any branding domain. Exploiting it did rely on the malicious actor being able to generate a valid Marketo email tracking link pointing to the desired destination. So you questions about crafting from the outside are valid... you're right, I don't know of a way to craft hashes from the outside (unless you've made your own vulnerability in a Velocity script which builds tracked links from a user-provided Marketo field value).

@Robb,​

No problem, let's just break it down to sort it out. First thing is, you have to pretend you're a hacker with malicious intent. Because if you're affected by this at all, you'd first have to be doing something fishy for a clearly malicious intent.

The branding domain takes you to the Marketo servers, and then the hash code represents the destination URL you want to go to, which should be the one for your own site.

Let's say you work for MaliciousCompanyA and you're creating a scam. In Marketo, you set up a branding domain of go.maliciouscompanya.com so your hyperlinks are go.maliciouscompanya.com/XXXXXX.

Now we have TotallyInnocentCompanyB with the branding domain of go.totallyinnocentcompanyb.com, and their hyperlinks are go.totallyinnocentcompanyb.com/ZZZZZZZZ.

So you're creating a scam page you want to take people to: maliciouscompanya.com/XXXXXtotalscampage and you want to create a hyperlink that looks like it's coming from TotallyInnocentCompanyB, when in fact it's coming from your scam site. Take the branding domain from the one company, go.totallyinnocentcompanyb.com and then change out the hash code with the one for your scam site.

go.maliciouscompanya.com/XXXXXtotalscampage

becomes

go.totallyinnocentcompanyb.com/XXXXtotalscampage.

The security enhancement in place prevents that from happening by adding an additional layer of validation between the branding domain and the hash code. So if you're the TotallyInnocentCompanyB, your branding domain of go.totallyinnocentcompanyb.com can't be used to go to any hash code other than the ZZZZZZ hash for your own company.

The reason this doesn't affect third party websites is because you're not linking them to your branding domain. If you're adding a link into your email saying "Hey, let's go to google.com and look at this", it goes to google.com, not your branding domain go.totallyinnocentcompanyb.com/ZZZZZgoogle.com.

So the short version is, this beefs up security to protect you and has no functional difference for you. ...unless you're a hacker. Because if you're a hacker, this will really mess up your day

If I am understanding correctly, the vulnerability was that each hash could use any branding domain in the request. For a tracking hash of XYZ123 generated by Malicious Customer, requests to click.maliciousCustomer.com/XYZ123 (the generated tracking link) and click.anyOtherCustomer.com/XYZ123 (with the hostname replaced by another company's Marketo branding domain) were handled the same way, resulting in redirection. While this allows some level of impersonation, I cannot find any route for data leakage... but I'd love to hear your thoughts .

The fix just returns a 404 page (oddly with a 200 status) when the email branding domain used in the current request cannot be found among the email branding domains configured for the hash's originating Marketo instance.

@Mike Reynolds​, please understand that this is a bit over my head but has me very concerned. Can you please very clearly and simply explain what is happening and how this benefits me?  I've read this several times and I'm very confused and worried about this change. I don't understand this line:

"What you can't do though (thanks to this security upgrade) is put the branding domain for that 3rd party company in front of a hash that directs you to your own site instead."

I'm not sure how or why this would be done or what it even means.

@Robb Barrett PRD​

There's no functional behavior change that you'd see from this change. It's a security upgrade being done on the back end that affects the hyperlinks used inside the email, not the email's from address.

OK, this is a big deal for me.  In my instance, gehealthcare.info is set up in the SPF / DKIM records but a lot of time we use @ge.com when we want the mail to come from known addresses.  Does this mean that my @ge.com emails are no longer going to work?  Sometimes the email is @med.ge.com. 

This is a sudden change and I don't recall notice of this happening. If this is blocking my emails from going out, I need to know ASAP along with how to fix this.  Thank you.

@Sanford Whiteman​ @Dan Stevens​ @Osman Erzinclioglu​

The security enhancement here wouldn't stop you from using a third party link in your email. I've updated the verbiage to clarify what it's referring to, which is the branding domain. So you could add a link in your email to link customers to a 3rd party site and you can also still allow tracking on that link as well. What you can't do though (thanks to this security upgrade) is put the branding domain for that 3rd party company in front of a hash that directs you to your own site instead.

There is no functional behavior change.

There are a few different questions here so let me run down the list.

By "an email domain" you mean a domain in Admin » Email » SPF/DKIM?

Close, but no. This is referring to the branding domain located in Admin > Email on the Email tab. The doc has been updated to reflect that. Here’s a screen shot of what it’s referring to:

Why should/would the domain of an email link have a relationship with those domains?

The hash code allows us to resolve to the originating subscription of the tracking link and therefore we can lookup the list of branding domains associated to the subscription.  In the example above, if your list of email branding domains contain “go.company.com”, then it matches with the domain in the tracking URL http://<go.company.com>/XXXXXXXXXXXXXXX

Is it no longer possible to link to a third-party site without that site being registered in the Admin UI?

No, it's still possible because the tracking URL is not the final destination. For example, http://<go.company.com>/XXXXXXXXXXXXXXX can redirect you to https://www.marketo.com

Is this related to my comment here and the subsequent fix w/r/t Marketo Nation?

No

I hope that helps. Let me know if there are any other questions at all.

Still not clear.

Is this only to stop people from creating CNAME records pointing to other people's Marketo instances and (re)using hashes from existing emails (which obvs. should never have been allowed to work). Or is it about the final target URL of email links, after redirection?

Since it's just the tracking URL (and not the URL behind it), I suspect this would still allow us to link to third-party sites, correct?

Yes, if that's what it means, it's fine.. but it's not at all clear.

Not sure what the vulnerability would be if it's about the tracking domain, since each (original target) URL gets a unique hash so shouldn't be able to be crafted from outside. Even if I can register any old domain and create a CNAME pointing to somebody's Marketo instance I shouldn't be able to make valid redirector links on my own.