FAQ: Dynamic Link Redirection Vulnerability
What is the vulnerability?
Many of our customers use Cheetah Messaging advanced features, including link personalization and dynamic domain redirects. We have identified a vulnerability in the dynamic redirection feature where an outside actor may copy and then modify the links to redirect to a different, unauthorized destination. These modified links may be used to intentionally misdirect users or misrepresent an organization, resulting in potential credential disclosure or brand reputational harm.
What is Marigold doing to fix this vulnerability? How soon will it be fixed?
The Cheetah Messaging team is treating this issue as a top priority and actively working to implement code updates to remove the vulnerability, and will provide updates to the remediation timeline as they become available. Your CSM will notify you when the updates have deployed to resolve the vulnerability as well as provide information on steps needed to leverage the new capabilities.
Has any data breach or unauthorized access occurred?
No. This type of vulnerability is not susceptible to data loss or unauthorized access to the Cheetah Messaging platform. Our security and engineering teams are continuously monitoring the affected environments and no breaches or unauthorized access have been identified.
Are there security mitigations available for my account?
Yes, Registered Domains and Link Authenticity.
What is Link Authenticity?
Link Authenticity is a security feature that protects outgoing links and prevents unauthorized modification of any data within the link, including outbound domain redirection.. The feature will protect links included in new campaigns that are launched after Link Authenticity is activated for your account.Link Authenticity will not affect any existing campaigns.
- For campaigns launched before the Link Authenticity tool is activated for your account, you can protect them by using the Registered Domains security tool, or by ending the older campaign, copying it, and restarting it as a new campaign so that it will now be protected by Link Authenticity.
What is Registered Domains?
Registered Domains is a security feature that compares all incoming redirected links against a list of allowed and valid domains provided by the customer. Only links whose domains appear on the allow-list will be redirected. Links with domains that are NOT part of the allow-list will not be redirected.
- If Link Authenticity is also activated for your account, you will not need to register new domains you may use in the future, only domains that were used prior to activation of the Link Authenticity tool.
What do you need us to do?
Please contact your CSM and prepare a list of allowed and valid domains for redirection. We will coordinate timing with you to enable and test the feature, ensuring minimal disruption to any existing activities.
We are working to enable Link Authenticity in your account(s). We will email the primary contact on your account once the task is complete.
Is there any extra cost for these features or assistance?
No, this is offered at no charge with your use of Cheetah Messaging.
If we would like to get started or have questions, what should we do?
Reach out to your Marigold Customer Service Manager and they will be able to assist you.