We use cookies to make HubSpot's community a better place. Cookies help to provide a more personalized experience and relevant advertising for you, and web analytics for us. To learn more, and to see a full list of cookies we use, check out our Cookie Policy (baked goods not included).

Allow cookies

File manager serious security issue

Status: In Planning
jc
Submitted by Contributor | Diamond Partner on ‎Mar 13, 2019 2:16 PM

Anyone with the lowest level of permissions within a Hubspot portal can delete all Hubspot files in the File Manager. 

 

  • Anyone can delete all marketing assets
  • Anyone can delete all sales assets

This is very insecure for all Hubspot customers.

See more ideas labeled with:
11 Replies
Carolynn
Member
‎Feb 11, 2020 11:39 AM

Hey HubSpot,

PLEASE give me a way to set permissions on images.  I had a Sales Professional user inadvertently delete our logo images & it consequently messed up all of our carefully set up Hubspot email signatures!  Of course I didn't know what the problem was, only that our logo images were gone. Thankfully, our tech support person was able to diagnose what happened & even tell me which user had deleted the images.  It is fixed for now, but who knows if/when it could happen again.

 

Carolynn

Status updated to: Being Reviewed
watanak
HubSpot Product Team
HubSpot Product Team
‎Mar 25, 2020 10:09 AM
 
MoritzM
Member
‎Mar 31, 2020 8:13 AM

I second what jc and Carolynn state. It's a potential serious security issue.

 

Please solve this HubSpot.

 

In addition, the level of detail / access Users can see in the Settings section of their accounts should have the ability to be restricted.

 

Best wishes.

lverhagen
Participant
‎Apr 7, 2020 10:32 AM

I did not realise this until recently, and now I am really worried. Please fix this as soon as possible. I think when you say someone doesn't have marketing access, they don't have access to ANYTHING that's normally under marketing. At least, that is what I would expect and also really want.

MoritzM
Member
‎Apr 7, 2020 10:53 AM

I agree with @lverhagen and @jc  and @Carolynn 

 

It is a serious security issue that could lead a company to move away from HubSpot and choose a competitor.

 

I am shocked such a glaring security isue has been allowed by HubSpot.

 

Such a level of insecurity gets more serious when one considers how many HubSpot Customers will use temporary contractors in their businesses/portals.

 

Please fix this asap, HubSpot! @watanak 

watanak
HubSpot Product Team
HubSpot Product Team
‎Apr 7, 2020 11:09 AM

Hi everyone, (cc: @MoritzM @lverhagen @jc @Carolynn )

 

Thank you for continuing to comment on this thread. I wanted to let you know that the team is actively working on addressing this issue.

 

Kie

Status updated to: In Planning
watanak
HubSpot Product Team
HubSpot Product Team
‎Apr 7, 2020 11:10 AM
 
MoritzM
Member
‎Aug 18, 2020 9:03 AM

Has this issue been resolved yet?

 

This is rather disappointing security flaw. 

 

Kind regards.

MoritzM
Member
‎Sep 4, 2020 10:20 AM

@watanak can we have an update regarding our messages?

 

Kind regards.

cjmil
Participant
‎Oct 29, 2020 2:41 PM

This is a serious issue for our organization as well - the lack of file permissions is shocking. We are running into significant issues around access to sensitive information with this. This needs to be escalated and addressed asap @watanak 

MoritzM
Member
‎Oct 30, 2020 7:38 AM

@cjmil agreed.

 

I still cannot believe HubSpot has not resolved this ongoing issue. One can see from this thread, HubSpot was made aware back in March 2019 and it was revisited in April 2020 by myself and others.

 

@watanak are you going to at least acknowledge HubSpot customers messages here?