SHOCKING: sales reps can disconntect your apps and DESTROY your online business

Highlighted
New Contributor

Did anybody notice that a simple "sales rep user" can go to Settings -> Integrations -> Apps, and do ANYTHING?

like "ehi let's see what happens if i disconnect these apps"

 

is this a bug/glitch or what??

Reply
0 Upvotes
6 Replies 6
Highlighted
Community Superstar

Confirmed using default Sales permissions with non-Admin HubSpot user on dev portal (4402709) to disconnect Automate.io integration that user did not setup..

Reported via Bugcrowd (see moderator alert). cc: @jennysowyrda @roisinkirby 

 

Best,
Frank

Chief HubSpot Consultant


hubspot-solutions-signature-mfrankjohnson-v05.png

MFrankJohnson.com | Perfect HubSpot Series | Connect on LinkedIn

Help find posts quickly ... accept this solution now.

 

Note: HubSpot is a constantly evolving platform. Please check the date of each post and view all solutions in that context.

-- Register here for Inbound 2020

 

Hope that helps.

 

Be well,
Frank


Support • Web • Apps • Training

HubSpot's Hiring World-Wide!

Highlighted
Occasional Contributor

Users can manage their own integrations e.g. email sync. Not the integrations of Hubspot on company level such as Zapier, Slack, or others. 

Reply
0 Upvotes
Highlighted
New Contributor

@Padixnot true. as i just proven with these screenshots

Reply
0 Upvotes
Highlighted
HubSpot Product Team

@kernel32bts  can you please confirm the exact role and permission settings your sales reps have that are causing concern? We can dig into this further with the support team and get clarification for everyone. 

 

CC: @jennysowyrda@sharonlicari 

Reply
0 Upvotes
Highlighted
New Contributor

SnapCrab_NoName_2019-5-14_17-18-19_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-6_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-9_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-14_No-00.jpgSnapCrab_NoName_2019-5-14_17-18-17_No-00.jpg

Reply
0 Upvotes
Highlighted
HubSpot Product Team

Thank you for confirming @kernel32bts!

As @Padix advised, I can confirm that the only integrations a non-admin user can access/control are their ones (i.e. the ones they set up).  Our Community Manager @jennysowyrda tested this and can confirm that integrations are blocked to users that do not use them and/or are not administrators. 

If you are still concerned please send a Private Message directly to @jennysowyrda and I. 

 

Many thanks,

RK

Reply
0 Upvotes