Oct 3, 2019 9:01 AM - edited Nov 7, 2019 3:57 PM
We are going to change form file upload urls to require HubSpot users authentication for access/download.
New file links will be in the following form:
We will also change the accessibility of old files. We will update the old file urls on the submissions and contact records. The old, publicly accessible links will cease to work at that time and will return 404 responses.
HubSpot forms handle a lot of different kinds of information, some of which may be private in nature. To foster trust and ensure proper data handling, we will require HubSpot users authentication to access files uploaded via these forms.
This change is happening on October 16, 2019.
Please join the conversation here if you have any comments or questions.
Edit (11/07/2019): Link to update on changelog.
Oct 31, 2019 9:44 AM
Thank you for your continued patience as we work out how to address the concerns that have been raised here. I’m pleased to report that we have a solution that will address many of those concerns while still maintaining the secure environment on which HubSpot prides itself.
Starting Monday, November 4th URLs for files uploaded via HubSpot forms will have new authentication support. The current implementation supports browser-based app authentication, which enables a user logged in to HubSpot on a browser to download files via that browser. On Monday, we’ll add OAuth header and HAPIkey support. So you’ll be able to retrieve files using standard authentication mechanisms.
Also on Monday, we’ll start migrating existing file URLs to this new format and support. This migration may take a day or two.
We strive to deliver a secure, powerful platform on which our customers can build great experiences. We appreciate the passionate feedback we’ve received over the past few weeks on this issue.
Oct 31, 2019 10:09 AM
Matt, so this "user", what security within HS will this user have/require? Remember, that for most of the folks that have commented here, this user, will have no other responsibility/duties/needs other than to retrieve the file.
Without a locked down security profile, this is no more secure than whatever the perceived sercurity risks (that I've yet to find an explanation behind) that brought on this original change.
For our application, our process is fairly simple (I do understand that others have more complex setups).
Job resume submission -
Easy Peasy..... I do not want this person to have any access to any part of the HS platform outside of getting this forms information and file. No access to any dashboards, reports, marketing, social - Nothing, Nada, Zilch.
Oct 31, 2019 11:44 AM
Oct 31, 2019 11:53 AM
This wouldnt work for a large company like ours. We aren't goin to create a large number of logins and expect our team to try to remember another password for a software that is irreleavant to them to use.
Nov 1, 2019 11:25 AM
Just wanted to mention that I'm cautiously optimistic about the solution being rolled out, barring no additional surprises. The update will allow us to deliver our files as needed with minor additional build. We can handle that. We also care about securing the data in these files. We do want to be able to tell everyone using this system that their information is protected.
That said, HubSpot really needs to work on a few things here:
Nov 5, 2019 4:01 PM
As you've likely noticed, new files have the new URL format as of Monday, and existing files are in the process of being moved to the new format.
At the same time, we're completing testing of the authenticated download functionality, and will be providing updates and documentation once that is complete. At that time, the files at these new URLs will be accessible via OAuth headers (with the correct scope), API key, and standard, browser authentication.
Nov 5, 2019 2:39 PM
Matt / @mwelch Tried as of today and it seems that no consideration was given for setting up a user account, for file access only??
I have a test user that I have given them NO permissions in the Hubspot portal. Yet, upon logon this user has acccess to:
#1 How can a user that has effectively been given NO access rights, be able to access so much of the system? The files portion is a gaping hole. They could effectively delete every file in the website...!!!!!!!!!!!!
#2 How are we to access these files, SECURELY. Since security was the motivating factor in this project, there has to be a way to do exactly that.
Nov 5, 2019 3:38 PM
Has this solution rolled out yet?
If yes: Hubspot is still requiring recipients to sign into hubspot to view attachments.
If no: I'm confused about how this solution solves anything.
Please give us a status update, so we don't have to test it and look like idiots when our superiors ask us what's going on. "Hubspot not updating us" is not an acceptable excuse.
Nov 13, 2019 4:38 PM
For everyone else that the "fix" is not applicable or workable, what I did was basically to just go back old school and add "mailto" html code and removed the Hubspot form.
I know that for many, getting that infomation into HS is important, so this will probably not be a solution to you. But, we had to get something working, since there was no workable resolution presented.
Oct 24, 2019 2:19 AM
I just wanted to add that we, when using your application also have a responsibility to ensure the safety of passed files. So in the end it is our responsibility so ensure secure handling. Which is why I believe the roll-back is an appropriate action. Set a disclaimer to stay in the clear. And let us take responsibility of our shared files.
Best wishes Birgitte
Oct 25, 2019 5:24 PM
Sorry to be the sticking point here. But, its now been 2 days (now after 5pm EST on Friday) since your last update and we still don't have a workable system or even ideas as to how or when we might expect a resolution to this issue.....
I assume that HS has a Persona for frustrated customers! ! !
Oct 28, 2019 2:32 PM
As I mentioned in my last update, our team has been actively investigating potential workarounds for this issue. Regrettably, in order to maintain data security, we have come to the conclusion that we will not allow files that have been uploaded via forms to be accessible publicly.
We are currently working on methods to allow these files to be accessed in an authenticated manner, in addition to the currently-available access through a HubSpot-logged-in browser. More information on that will be available later this week.
I know this is not the answer many of you were looking for, and am very sorry for any frustration and inconvenience this will cause.
Oct 28, 2019 2:45 PM
Hate to harp on it, but in addition to having to create those 40 new users. As part of this whole issue, of making the process more "secure" you will have to give these new users (as it stands now) access to parts of Hubspot that you most likely will not want them to have access to. Since HS does not allow a granular application of security rights.
We will most likely, if things do not improve, abandon this whole process and look for another provider or methodology of having files submitted to our company.
If HS really wanted to beef up security, they could have simply had a means to enforce the types of files being uploaded, ie; not allowing Word/Excel/etc that have imbeded macros.... Poof - More Secure Files.
Oct 28, 2019 2:45 PM
Have you told your partner integration developers this? You can no longer provide a partnership with these integrations? Very confused on this road block, especially since this prevents automation. Surely if us and our partners can provide a new work around on the API it can still be secured and will lie on our end the protection rights vs HubSpot since it will be sent to another platform and thus out of your hands.
Oct 28, 2019 4:29 PM - edited Oct 28, 2019 4:30 PM
This is very bad. Like the rest of your upset customers, I will be researching hubspot alternatives and sharing this experience with colleagues, public reviews and social media circles.
For now, my work-around is to use gravity forms WP plug-in. The attachments are sent through HS the same way, but via a link sourced from my webserver. This is not ideal b/c it takes up server space and as with all plug-ins, there is a risk of issues popping up. This is also not a fix for my HTML site that we haven't migrated to WP yet.
Not looking good Hubspot!
Oct 28, 2019 7:29 PM
My organization is dramatically impacted in a similar fashion to those that have commented previously. This change has significantly hindered our operational pipelines, and I do not feel messaging was adequately conveyed nor defended by Hubspot. We have the technical resources to respond to a change in spec/API access, but not the operational bandwidth to compensate for poor management of your functionality.
Looking forward to hearing re: a resolution in this thread as the week progresses.
Oct 28, 2019 2:28 PM
Please is there an update on this issue, especially for those who used to connect to Hubspot api? Is there a workaround as this change has "killed" our automations around Hubspot?
Surely it does not make sense to keep paying the normal Hubspot subscription fees when this key feature is not available as this situation has created manual jobs in my Organization, where we did not even have the extra manpower.
Nov 7, 2019 3:23 PM
We have posted a new changelog entry that details the updates to support authenticated access to these files, and which contains links to relevant documentation. Thanks for your patience as we built these new capabilities.
Nov 7, 2019 3:51 PM
So, in reading this... And please correct me if I'm wrong. The only way to get a file is to have a developer write an "app" of some sort? **bleep**?????
You still have not, as documented, provided a SECURE means of a regular HS user to access these files.
Nov 7, 2019 4:04 PM
Anyone know a developer who could record this process on a VidYard tutorial and post it? I've tried setting this up myself using the resources but it's like it's in another language. I'm completely lost.
@mwelch please look into additional options for us non-developers.
Nov 6, 2019 9:50 AM - edited Nov 6, 2019 9:51 AM
Jumping in on the bandwagon so I can get email updates.
As many of you have already indicated in this thread, this functionality is severely limiting.
I have been working since July with my Human Resources team to automate a significant portion of their Applicant Tracking System because they are short-staffed and are drowning in applicants. We just launched it completely this week and so it was very disappointing to learn that we now might not be able to automate those resumes/cover letters to go to the hiring managers for the open positions.
I'm familiar with HubSpot making changes on the fly (been using them since 2016) -- and I admit that it is usually for the better -- but this change has me scratching my head. Thanks for the link to the changelog -- this is now bookmarked on my browser and I will reference it frequently.
@mwelch I really do hope you and your team come up with a solution. Maybe a toggle setting within the property to opt-in and out of this functionality? You could always default it to "on", then we (the users) could just turn it off for the ones that interact with our internal workflows. Or even if you could designate the workflow as an internal workflow so you can bypass that rule.