Email Tracking URL Security Enhancement

@Robb,​

No problem, let's just break it down to sort it out. First thing is, you have to pretend you're a hacker with malicious intent. Because if you're affected by this at all, you'd first have to be doing something fishy for a clearly malicious intent.

The branding domain takes you to the Marketo servers, and then the hash code represents the destination URL you want to go to, which should be the one for your own site.

Let's say you work for MaliciousCompanyA and you're creating a scam. In Marketo, you set up a branding domain of go.maliciouscompanya.com so your hyperlinks are go.maliciouscompanya.com/XXXXXX.

Now we have TotallyInnocentCompanyB with the branding domain of go.totallyinnocentcompanyb.com, and their hyperlinks are go.totallyinnocentcompanyb.com/ZZZZZZZZ.

So you're creating a scam page you want to take people to: maliciouscompanya.com/XXXXXtotalscampage and you want to create a hyperlink that looks like it's coming from TotallyInnocentCompanyB, when in fact it's coming from your scam site. Take the branding domain from the one company, go.totallyinnocentcompanyb.com and then change out the hash code with the one for your scam site.

go.maliciouscompanya.com/XXXXXtotalscampage

becomes

go.totallyinnocentcompanyb.com/XXXXtotalscampage.

The security enhancement in place prevents that from happening by adding an additional layer of validation between the branding domain and the hash code. So if you're the TotallyInnocentCompanyB, your branding domain of go.totallyinnocentcompanyb.com can't be used to go to any hash code other than the ZZZZZZ hash for your own company.

The reason this doesn't affect third party websites is because you're not linking them to your branding domain. If you're adding a link into your email saying "Hey, let's go to google.com and look at this", it goes to google.com, not your branding domain go.totallyinnocentcompanyb.com/ZZZZZgoogle.com.

So the short version is, this beefs up security to protect you and has no functional difference for you. ...unless you're a hacker. Because if you're a hacker, this will really mess up your day

Unless I am mistaken (somebody, please correct me!), the vulnerability just allowed any existing hashes to be used on the end of any branding domain. Exploiting it did rely on the malicious actor being able to generate a valid Marketo email tracking link pointing to the desired destination. So you questions about crafting from the outside are valid... you're right, I don't know of a way to craft hashes from the outside (unless you've made your own vulnerability in a Velocity script which builds tracked links from a user-provided Marketo field value).

OK, so redirector hashes didn't actually have an owning instance before. That's a lot simpler of an explanation!

Of course there are plenty of other ways for a malicious Marketo user to disrupt other Marketo users, but it's good to have this one out of the way.

Yep, that's my understanding... and I'm stealing your phrasing, as long as nobody corrects the both of us. That is a good way to describe it.

I think this makes sense to me. In Robb's example, can he check to see if his branding domain includes GE.com? If not, can he add it? Would he need to?

Turns out this has nothing to do with the URLs added to the email by email authors.

It just means Marketo users can't use other users' branding domains (which shouldn't have been possible in the first place).

Got it.  The branding domain actually did nothing in the past then, if that's my understanding. It's all on the string after the domain.  With as many Marketo users as there are sending out as many emails as they do, how often was it that a duplicate string could have occurred?

Is the solution meant to thwart malicious users or just the chance of duplicates?

The branding domain does have a big part to play. It's a combination of identifying the instance in Marketo and authorizing the Marketo servers to send emails on your behalf. If you're a recipient mail server and you receive an email saying that it's from one company (your company) but the address that sent it is actually from someone else (Marketo), then it looks suspicious. The branding domain is a way to authorize the other entity to send emails on your behalf. The issue with the hash code isn't to avoid duplicates - with that long of a code string, it's extremely difficult to end up with duplicates. It's an extra layer of security validation.

Well, hold on a moment. What you're saying about the branding domain is giving me a confuse. Aren't you talking about the SPF / DKIM SDID? That's the one that lets other email servers know that Marketo is authorized to act as an agent for a company, right?

The branding domain is used to re-code links in the body of the email to point them to a Marketo tracking service, so it would overwrite www.thisdomain.com with click1.companywebsite.com/1234ABCD and then redirect to www.thisdomain.com. What you stated in a previous email is that in the past, Marketo only looked at 1234ABCD and not exactly the branding domain in front of it. If that's the case, then every couple of billion links sent in all the emails Marketo sends someone would get sent to the wrong page, potentially.

If email servers looked at branding domains then any time my wife sent me an amazon.com link for a dog bed she thinks our dogs need, it would block the email and I'd be a happy man.

Mike....do me a favor buddy....I'm on Lisinopril for high blood pressure and I almost had to see my Doctor yesterday for a stronger dose after this announcement. Next time you guys make an announcement like this, run it past the least techy person you know and see if they understand it. If they nod their head, start drooling and can only say "uh-huh" then they don't really get it.

I agree, Robb, this has nothing to with "authorization" as is currently understood.

The branding domain merely rewrites the URLs and requires no proof at all that the envelope sender domain and/or From/Reply-To: domain is "authorized" to use the branding domain.

In fact before multiple branding domains were introduced (was that this year or late last year?) you had to have mismatched envelope, header, and branding domains when you sent mail on behalf of multiple domains.