I’m hoping this reaches the platform developers at Hubspot. This morning we identified a fairly significant security problem.
TLDR: If a user authenticates/authorizes access using OAuth and that user is later removed from the Hubspot account, the authentication credentials continue working (read-only).
Here’s the scenario:
One of our customers had an employee authenticate using Hubspot to allow data sync between our product and their Hubspot portal. A month later, that person left their company and was replaced by a new person. Per normal security protocol, the old user was deleted from our customer’s Hubspot account.
Our customer noticed their data sync seemed to be broken. However, we were still able to read from the API (fields, lists, contacts, etc.). Because of this, our monitoring system assumed things were still working. So, while write access stopped working we can still read all the data using the deleted user’s API authentication credentials.
Further testing identified other interesting issues. Another example: if you authenticate with a user who has read/write access to contacts and later revoke write access, the API credentials still allow write access.
I assume the expectation is deleting a user would revoke API access. It’s easy to imagine a scenario where someone uses a 3rd-party tool like Zapier to create a sync between Hubspot and Google Docs. That person is then terminated, their user account is removed from Hubspot, yet they are still able to sync data (contacts!) from the Hubspot portal to their Google spreadsheet.