BTIBTI-2025-0023
CRITICALBTI-C12PUBLISHED
9.2BTSS

6sense

6sense CMP Cookie Harvesting - Cross-Vendor Identity Aggregation via Ketch

Discovered
2025-12-03
Est. Deployments
10,000+
Trend
stable

Summary

A SINGLE PAGE LOAD on 6sense.com triggers an extraordinary surveillance cascade: 13 hosts syncing cookies, 17 hash exfiltrations, PII deanonymization (name + phone), a CMP defeat device harvesting pre-consent data, and TrenDemon SDK with eval()-based arbitrary code execution loading from the compromised polyfill.io domain. ## SUPPLY CHAIN COMPROMISE: polyfill.io on Privacy Policy Page TrenDemon SDK (loaded on 6sense.com) includes a dependency on polyfill.io/v3/polyfill.min.js. This domain was acquired by Chinese company Funnull in February 2024 and subsequently used to inject malicious code into websites. **This script loads while users read 6sense's privacy policy** - the page that should inform them of data practices instead exposes them to a known compromised CDN. 6sense deploys Ketch CMP (documented in BTI-2025-0022 as a consent defeat device) which harvests Marketo tracking cookies from visitors and transmits them to ketchcdn.com. This creates undisclosed cross-vendor identity aggregation where visiting 6sense's Trust Center ironically results in marketing cookie exfiltration. The researcher was identified by name ("Ronin") and geolocated to state level (Alabama) while researching 6sense's privacy practices. This is not a collection of separate issues - it's a coordinated surveillance architecture deployed by a company that sells "privacy-compliant intent data."

BTSS Score Breakdown

Exploitability
3/ 4
Data Sensitivity
3/ 3
Prevalence
2.2/ 2
Detection Difficulty
1/ 1

Technical Details

## Cross-Vendor Cookie Harvesting When a user visits 6sense.com, Ketch CMP fires first and harvests existing cookies from other vendors before asking for consent. ### Decoded Ketch Payload (Base64 from `ids=` parameter) ```json { "_mkto_trk": "id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80", "swb_default_property": "670110ef-a747-4a9a-b62c-f8513dbb6c10" } ``` ### Evidence Breakdown | Field | Value | Meaning | |-------|-------|---------| | `_mkto_trk` | `id:958-TTM-744&token:...` | 6sense's Marketo Account ID | | `swb_default_property` | UUID | Ketch internal tracking ID | | `region` | `US-AL` | User geolocated to Alabama | | `uid` | `Ronin` | User's Google Analytics identity | ### Third-Party Tracking Domains Found **Identity Infrastructure:** - `epsilon.6sense.com` / `eps.6sc.co` - 6sense's own tracking - `v.eps.6sc.co` - Variant endpoint **Marketing Automation:** - `958-ttm-744.mktoresp.com` - Marketo (6sense account) - `munchkin.marketo.net` - Marketo Munchkin tracker **Consent Management (Ironic):** - `global.ketchcdn.com` - Ketch CMP (defeat device) - `cdn.ketchjs.com` - Ketch JavaScript CDN **Additional Trackers:** - `app.qualified.com` - Visitor qualification - `data.sequel.io` - Data enrichment - `stats.g.doubleclick.net` - Google advertising - `analytics.google.com` - Google Analytics

Code Evidence

httpVendors/6sense/6sense.com.har

Ketch harvesting Marketo cookie

POST /web/v3/consent/6_sense/get HTTP/2
Host: global.ketchcdn.com
Content-Type: application/json

{
  "identities": {
    "_mkto_trk": "id:958-TTM-744&token:_mch-6sense.com-33fe35d4df8d6e33441925452a7b0e80",
    "swb_default_property": "670110ef-a747-4a9a-b62c-f8513dbb6c10"
  },
  "purposes": {...}
}
httpVendors/6sense/6sense.com.har

Pre-consent identity log with region

POST /web/v2/log HTTP/2
Host: global.ketchcdn.com

hasConsent=false
&event_type=once_identities
&region=US-AL
&ids=eyJfbWt0b190cmsioiJpZDo5NTgtVFRNLTc0NCZ0b2tlbj1fbWNoLTZzZW5zZS...

Network Evidence

POSThttps://global.ketchcdn.com/web/v3/consent/6_sense/get

Ketch consent endpoint with Marketo cookie

POSThttps://global.ketchcdn.com/web/v2/log

Pre-consent identity logging

GEThttps://analytics.google.com/g/collect?uid=Ronin

Google Analytics with named user ID

GEThttps://epsilon.6sense.com/v3/company/details

6sense deanonymization payload #1 - returns identified company/contact data

GEThttps://eps.6sc.co/v3/company/details

6sense deanonymization payload #2 - redundant/failover endpoint

Legal Touchpoints

GDPR Art. 13/14European Union

Failure to disclose specific processing purposes. Ketch is not disclosed as aggregating Marketo cookies. FingerprintJS framed as "fraud prevention" obscures its fingerprinting function.

CCPA 1798.100California

Cross-vendor data sharing without adequate disclosure. Marketo cookies transmitted to Ketch constitutes "sale" or "sharing" under CCPA.

FTC Act Section 5United States

Deceptive practices through subprocessor misrepresentation. Calling FingerprintJS "Account Fraud Prevention" when it's device fingerprinting for advertising is materially misleading.

Prevalence

10,000+
Estimated Deployments
Market Segments
B2B EnterpriseSaaSMarketing Technology
Notable Deployments
  • 6sense.com (vendor's own site)

Reproduction Steps

## Reproduction Steps

1. **Visit 6sense.com** with DevTools open
2. **Filter Network by** `ketchcdn.com`
3. **Find POST to** `/web/v3/consent/6_sense/get`
4. **Examine request payload** for `identities` object
5. **Decode any Base64 `ids=` parameters** to reveal Marketo cookie
6. **Check Response headers** for AWSALB without security flags
7. **Visit Trust page** and observe full tracking continues

Remediation

immediate

Block Ketch on 6sense domains

Effort: trivial
immediate

Block 6sense epsilon tracking

Effort: trivial
short term

Request accurate subprocessor disclosure

Effort: moderate
immediate

Block TrenDemon SDK (eval() supply chain risk)

Effort: trivial

References

vendor6sense Trust Center
vendor6sense Subprocessors
vendorFingerprintJS Documentation
vendor6sense Vendor Qualification Page
Created: 2025-12-03Updated: 2025-12-04Version: 2
#cross-vendor-aggregation#cookie-harvesting#cmp-violation#subprocessor-misrepresentation#pii-deanonymization