nation.marketo.com is now an open, unauthenticated web proxy. Don't do this! | Community
Skip to main content
SanfordWhiteman
SanfordWhiteman
Level 10
May 18, 2017
New

nation.marketo.com is now an open, unauthenticated web proxy. Don't do this!

  • May 18, 2017
  • 2 replies
  • 3926 views

When Marketo Nation became publicly accessible last month, something pretty bad came along with that otherwise positive move: phishers can now use the Nation in attacks, by bouncing off /external-link.jsp (http​://nation.marketo.com/external-link.jspa?url={{my malicious link here}}). This was possible in the past as well, but only if someone was logged into the Nation, which reduced the attack surface considerably.

By coincidence (well, maybe not, given the state of the world) I was just working on a blog post about a major firewall/VPN platform that has the same vulnerability.

The solution is that Jive must only redirect to URLs that were originally entered by authenticated users. Let's not be part of the problem!

P.S. If anyone wonders why those pesky mail scanners that mess with click tracking are necessary, this is why!

    2 replies

    SanfordWhiteman
    SanfordWhitemanAuthor
    Level 10
    May 18, 2017

    @Janet Dulsky​

    Janet_Dulsky
    Adobe Employee
    Janet_DulskyAdobe Employee
    Adobe Employee
    May 19, 2017

    @Sanford Whiteman​, thanks for the information. I will pass it along to Jive and let you know what they say. I would hate to have the Marketing Nation be a contributor to phishing.

    Thanks, again.

    Janet

    K
    kh-lschutte
    February 6, 2020
    No text available
    Terms & ConditionsAccessibility statement

    Loading footer...