File manager serious security issue

jc

Anyone with the lowest level of permissions within a Hubspot portal can delete all Hubspot files in the File Manager. 

 

  • Anyone can delete all marketing assets
  • Anyone can delete all sales assets

This is very insecure for all Hubspot customers.

11 Replies
Carolynn
Member

Hey HubSpot,

PLEASE give me a way to set permissions on images.  I had a Sales Professional user inadvertently delete our logo images & it consequently messed up all of our carefully set up Hubspot email signatures!  Of course I didn't know what the problem was, only that our logo images were gone. Thankfully, our tech support person was able to diagnose what happened & even tell me which user had deleted the images.  It is fixed for now, but who knows if/when it could happen again.

 

Carolynn

Status updated to: Being Reviewed
watanak
HubSpot Product Team
 
MoritzM
Member

I second what jc and Carolynn state. It's a potential serious security issue.

 

Please solve this HubSpot.

 

In addition, the level of detail / access Users can see in the Settings section of their accounts should have the ability to be restricted.

 

Best wishes.

lverhagen
Participant

I did not realise this until recently, and now I am really worried. Please fix this as soon as possible. I think when you say someone doesn't have marketing access, they don't have access to ANYTHING that's normally under marketing. At least, that is what I would expect and also really want.

MoritzM
Member

I agree with @lverhagen and @jc  and @Carolynn 

 

It is a serious security issue that could lead a company to move away from HubSpot and choose a competitor.

 

I am shocked such a glaring security isue has been allowed by HubSpot.

 

Such a level of insecurity gets more serious when one considers how many HubSpot Customers will use temporary contractors in their businesses/portals.

 

Please fix this asap, HubSpot! @watanak 

watanak
HubSpot Product Team

Hi everyone, (cc: @MoritzM @lverhagen @jc @Carolynn )

 

Thank you for continuing to comment on this thread. I wanted to let you know that the team is actively working on addressing this issue.

 

Kie

Status updated to: In Planning
watanak
HubSpot Product Team
 
MoritzM
Member

Has this issue been resolved yet?

 

This is rather disappointing security flaw. 

 

Kind regards.

MoritzM
Member

@watanak can we have an update regarding our messages?

 

Kind regards.

cjmil
Participant

This is a serious issue for our organization as well - the lack of file permissions is shocking. We are running into significant issues around access to sensitive information with this. This needs to be escalated and addressed asap @watanak 

MoritzM
Member

@cjmil agreed.

 

I still cannot believe HubSpot has not resolved this ongoing issue. One can see from this thread, HubSpot was made aware back in March 2019 and it was revisited in April 2020 by myself and others.

 

@watanak are you going to at least acknowledge HubSpot customers messages here?