Owners API security issue - API endpoint is accessible to non account admins

oauth

#1

Hi,

I’m testing the Hubspot API and I’ve discovered that the owners API endpoint (GET and POST) can be successfully requested by a user that is NOT an account administrator. This is a security issue that means that any hubspot owner (e.g. a sales manager) could view and create other hubspot owners.

To reproduce this issue, I connected to hubspot using OAuth 2.0 and authorized the hubspot user that is NOT an account admin and used the returned OAuth token to access the owners API.

Chico


#2

@chico I am going to jump back to our Engineering team with @zwolfson to see if we can confirm this for you or not.


#3

thx @pmanca, I’ve also tested the Contacts API endpoint and it also has this security issue.

I used an OAuth token belonging to a hubspot user that is only a Sales User with View permission set to ‘Owned only’, and using that token it was possible to get a list of contacts via the /v1/lists/all/contacts/all API endpoint. I checked the UI, and that user is correctly not allowed to see any contacts.

I haven’t checked any other sensitive API endpoints, but I assume this is a general API security oversight.

Chico


#4

I wanted to circle back on this @chico In order to install any app into HubSpot you would have to be an admin. A normal user wouldn’t have the ability to get an access token to access the HubSpot APIs.

On the owners side there is a difference between an owner and a user. The Owner’s API does not make a HubSpot user. A non-admin using those endpoints could make an owner to assign contacts too but would never be able to make an actual user that they could log in with advanced permissions.