May 1, 2019 6:07 PM
About half an hour ago, I recieved an odd email from Hubspot about, quoting it, "Inappropriate usage of Engagements API". It says that Hubspot has detected cross-origin requests from a domain registered to our account that were sent to the Engagements API. I have no idea what could've caused this. Has anyone else run into this problem?
May 2, 2019 1:49 PM
Hi everyone, we're really sorry for the confusion this has led to. For those that might read this post later down the line, this post's question is a direct response to an email sent out by our Developer Relations Team stating that there were front-end (CORS) requests to HubSpot APIs from their domains.
During a routine platform security review, we noticed that some Accounts were making client-side (or front-end) calls to our Engagements API. As a security best practices, these CORS requests are usually not allowed. Specifically, these client-side calls potentially allowed anyone visiting your site to see the API or authentication key being used in that request. This authentication key could be the Hapikey or an OAuth token.
If you are confused as to why you might have been contacted, our system showed some type of activity making these requests.
This is not necessarily indication of a system breach or larger issue. There could have been some code written by you or your team to use or test the HubSpot APIs on purpose from one of your webpages, or perhaps a visitor came to your site and made a request from their own browser's developer tools from their console. There might have only been a call or two made on your domain, but we always try to err on the side of caution and share if these types of requests came from your domain. It's also possible you may have processes running that you may be unaware of, or some legacy code somewhere, making these inefficient calls.
At this time, we are only able to share that these requests were originating from a domain you own, we are not able to share additional specifics of those requests.
If your account does not have an API key created, what should you do?
No action is required in this case. All we know is that there was a call to our endpoints from your domain. Authorization may not have even been specified in the call to our endpoints.
Next steps for anyone concerned about security and worries about exposure - we recommend:
1. You deactivate your API key.
2. You start using the new key (by generating a new API key and using that in your fixed code)
3. Be mindful of how you handle you key (aka do not expose via client-side requests, in a URL or URI string), so no one else will be able to copy it.
When will these front-end requests be stopped?
The API calls will continue to work through the end of next week. This was a pre-notice to customers, and we suggest you create a new key if warranted. If you are still worried about potential issues, please reply to this thread and we will reach out via DM to help you walk through any other steps.
May 2, 2019 5:54 PM
Is there a way to find out what might becausing the client-side calls?
May 2, 2019 8:03 PM
@Kathryn not at the moment. We're looking into it further to see if there's more information we can uncover to give you.
May 2, 2019 11:24 AM
May 1, 2019 7:11 PM
May 1, 2019 7:48 PM
+1 here too.
Is there a way to get some diagnostic information that could tell us what specific calls were made to the Engagements API?
Information about the source of the request?
Typical cases of inappropriate cross-origin requests that might point us in the right direction?
May 1, 2019 6:56 PM
We received the same email today and I have no idea what could've caused it.