FAQ: Dynamic Link Redirection Vulnerability
As of June 2023, Link Authenticity has been made available in all regions and enabled by default for all clients worldwide.
For campaigns launched AFTER Link Authenticity has been enabled in the account, tracked links inside emails from those campaigns will go through authentication by our redirect servers to ensure the tracked links have not been tampered with before forwarding readers to their final destination.
If marketers want to take advantage of Link Authenticity for automated campaigns, such as Date Triggered and Event Triggered, that were launched prior to Link Authenticity being enabled for the account, use the “Pick Up Changes” option in these campaigns. Once the campaigns are updated, subsequent emails from those campaigns will be sent with authenticated tracked links. Link Authenticity does not protect links within emails sent before Link Authenticity is enabled.
For more information, refer Anti-phishing Features.
What is the vulnerability?
Many of our customers use Marigold Engage+ advanced features, including link personalization and dynamic domain redirects. We have identified a vulnerability in the dynamic redirection feature where an outside actor may copy and then modify the links to redirect to a different, unauthorized destination. These modified links may be used to intentionally misdirect users or misrepresent an organization, resulting in potential credential disclosure or brand reputational harm.
Has any data breach or unauthorized access occurred?
No. This type of vulnerability is not susceptible to data loss or unauthorized access to the Marigold Engage+ platform. Our security and engineering teams are continuously monitoring the affected environments and no breaches or unauthorized access have been identified.
Are there security mitigations available for my account?
Yes, Registered Domains and Link Authenticity.
What is Link Authenticity?
Link Authenticity is a security feature that protects outgoing links and prevents unauthorized modification of any data within the link, including outbound domain redirection.. The feature will protect links included in new campaigns that are launched after Link Authenticity is activated for your account.Link Authenticity will not affect any existing campaigns.
- For campaigns launched before the Link Authenticity tool is activated for your account, you can protect them by using the Registered Domains security tool, or by ending the older campaign, copying it, and restarting it as a new campaign so that it will now be protected by Link Authenticity.
What is Registered Domains?
Registered Domains is a security feature that compares all incoming redirected links against a list of allowed and valid domains provided by the customer. Only links whose domains appear on the allow-list will be redirected. Links with domains that are NOT part of the allow-list will not be redirected.
- If Link Authenticity is also activated for your account, you will not need to register new domains you may use in the future, only domains that were used prior to activation of the Link Authenticity tool.
What do you need us to do?
Please contact your CSM and prepare a list of allowed and valid domains for redirection. We will coordinate timing with you to enable and test the feature, ensuring minimal disruption to any existing activities.
If you want to take advantage of Link Authenticity for automated campaigns, such as Date Triggered and Event Triggered, that were launched prior to Link Authenticity being enabled for the account, you can use the “Pick Up Changes” option in these campaigns. Once the campaigns are updated, subsequent emails from those campaigns will be sent with authenticated tracked links.
Is there any extra cost for these features or assistance?
No, this is offered at no charge with your use of Marigold Engage+.
If we would like to get started or have questions, what should we do?
Reach out to your Marigold Customer Service Manager and they will be able to assist you.