Owners API security issue - API endpoint is accessible to non account admins
Hi,
I’m testing the Hubspot API and I’ve discovered that the owners API endpoint (GET and POST) can be successfully requested by a user that is NOT an account administrator. This is a security issue that means that any hubspot owner (e.g. a sales manager) could view and create other hubspot owners.
To reproduce this issue, I connected to hubspot using OAuth 2.0 and authorized the hubspot user that is NOT an account admin and used the returned OAuth token to access the owners API.
Owners API security issue - API endpoint is accessible to non account admins
thx @pmanca, I’ve also tested the Contacts API endpoint and it also has this security issue.
I used an OAuth token belonging to a hubspot user that is only a Sales User with View permission set to ‘Owned only’, and using that token it was possible to get a list of contacts via the /v1/lists/all/contacts/all API endpoint. I checked the UI, and that user is correctly not allowed to see any contacts.
I haven’t checked any other sensitive API endpoints, but I assume this is a general API security oversight.
Owners API security issue - API endpoint is accessible to non account admins
I wanted to circle back on this @chico In order to install any app into HubSpot you would have to be an admin. A normal user wouldn’t have the ability to get an access token to access the HubSpot APIs.
On the owners side there is a difference between an owner and a user. The Owner’s API does not make a HubSpot user. A non-admin using those endpoints could make an owner to assign contacts too but would never be able to make an actual user that they could log in with advanced permissions.