SHOCKING: sales reps can disconntect your apps and DESTROY your online business

kernel32bts · ‎05-14-2019

Did anybody notice that a simple "sales rep user" can go to Settings -> Integrations -> Apps, and do ANYTHING?

like "ehi let's see what happens if i disconnect these apps"

is this a bug/glitch or what??

MFrankJohnson · ‎05-14-2019

Confirmed using default Sales permissions with non-Admin HubSpot user on dev portal (4402709) to disconnect Automate.io integration that user did not setup..

Reported via Bugcrowd (see moderator alert). cc: @jennysowyrda @roisinkirby

Best,
Frank

Chief HubSpot Consultant

MFrankJohnson.com | Perfect HubSpot Series | Connect on LinkedIn

Help find posts quickly ... accept this solution now.

Hope that helps.

Best,
Frank

Padix · ‎05-14-2019

Users can manage their own integrations e.g. email sync. Not the integrations of Hubspot on company level such as Zapier, Slack, or others.

kernel32bts · ‎05-14-2019

@Padixnot true. as i just proven with these screenshots

roisinkirby · ‎05-14-2019

@kernel32bts can you please confirm the exact role and permission settings your sales reps have that are causing concern? We can dig into this further with the support team and get clarification for everyone.

CC: @jennysowyrda, @sharonlicari

kernel32bts · ‎05-14-2019

roisinkirby · ‎05-14-2019

Thank you for confirming @kernel32bts!

As @Padix advised, I can confirm that the only integrations a non-admin user can access/control are their ones (i.e. the ones they set up). Our Community Manager @jennysowyrda tested this and can confirm that integrations are blocked to users that do not use them and/or are not administrators.

If you are still concerned please send a Private Message directly to @jennysowyrda and I.

Many thanks,

RK