SHOCKING: sales reps can disconntect your apps and DESTROY your online business

New Contributor

Did anybody notice that a simple "sales rep user" can go to Settings -> Integrations -> Apps, and do ANYTHING?

like "ehi let's see what happens if i disconnect these apps"

 

is this a bug/glitch or what??

Reply
0 Upvotes
6 Replies 6
Highlighted
Community Thought Leader

Confirmed using default Sales permissions with non-Admin HubSpot user on dev portal (4402709) to disconnect Automate.io integration that user did not setup..

Reported via Bugcrowd (see moderator alert). cc: @jennysowyrda @roisinkirby 

 

Best,
Frank

Chief HubSpot Consultant


hubspot-solutions-signature-mfrankjohnson-v05.png

MFrankJohnson.com | Perfect HubSpot Series | Connect on LinkedIn

Help find posts quickly ... accept this solution now.

Hope that helps.

 

Best,
Frank

 

MFrankJohnson-dot-com-HubSpot-Community-banner-gif-v20190817

Occasional Contributor

Users can manage their own integrations e.g. email sync. Not the integrations of Hubspot on company level such as Zapier, Slack, or others. 

Reply
0 Upvotes
New Contributor

@Padixnot true. as i just proven with these screenshots

Reply
0 Upvotes
Community Manager

@kernel32bts  can you please confirm the exact role and permission settings your sales reps have that are causing concern? We can dig into this further with the support team and get clarification for everyone. 

 

CC: @jennysowyrda@sharonlicari 

Reply
0 Upvotes
New Contributor

SnapCrab_NoName_2019-5-14_17-18-19_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-6_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-9_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-14_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-17_No-00.jpg

Reply
0 Upvotes
Community Manager

Thank you for confirming @kernel32bts!

As @Padix advised, I can confirm that the only integrations a non-admin user can access/control are their ones (i.e. the ones they set up).  Our Community Manager @jennysowyrda tested this and can confirm that integrations are blocked to users that do not use them and/or are not administrators. 

If you are still concerned please send a Private Message directly to @jennysowyrda and I. 

 

Many thanks,

RK

Reply
0 Upvotes