Never use Munchkin 'associateLead' like this (if you like having a job)

Secret keys are used throughout cryptography. They're basically akin to passwords, only they're generated and used by apps as opposed to being typed by hand (and they're often written in hex bytes like “5468617473206D79204B756E67204675” which is tough to memorize).

What does the “secret” part mean, though? Let's try this definition of “secret key”:

A value that must not be used by any person or app who hasn't first been authenticated to your system via other means.

Note the operative word: used by anyone, not known. You don't always have to know a secret key to make use of it, and it's the use that matters.[1]

Imagine an underground club with a secret word to get in. You don't know the word, but there's a guy in the alley outside, and if you slip that guy a quarter, he'll whisper the word in the bouncer's ear and you'll both get in. (Then he sneaks out the back to do it over again.)

Now you've used the word to the fullest, even if you never heard it yourself.

To have a secure system, you must neither leak a secret key directly nor create a guy in the alley who'll gladly use the secret key on anybody's behalf.

So I saw this very, Very, VERY bad idea today on someone's site:

This site's developer has created a public web service (/marketo/sha1.php) that, when you pass it an email address, hashes the email address with a Marketo instance's secret key and then passes back a Munchkin associateLead associator token.

I've written before about how to create such tokens, but securely: within Salesforce or Marketo, and never in response to an anonymous user's request over the public web.

But this service is akin to the alley dweller. If I'm a hacker, I don't have to know the secret key, but I can ask the service to use the secret key in exactly the same way I would if I knew it, so it has the same effect.

What's that effect? It's that anyone in the world can change any data value on any person in the Marketo instance.[2]

And that's real bad. Never do this.


[1] By which I mean use in an uncontrolled/arbitrary fashion. Obviously, any time you connect to a system and that system uses secret keys on the back end, you're “using” the keys in some way, but that's very different from what I'm covering here.

[2] One might note that Marketo forms have the same vulnerability, if field updates are not blocked. And that's quite true. But two wrongs don't make security.