HubSpot Access Control Vulnerability in REST API Endpoint Allowing User Data Disclosure
Vulnerability
A vulnerability exists in HubSpot's REST API endpoint, specifically in the Users UI, that allows unauthenticated attackers to access users' data without proper authorization. This issue arises from incorrect access control, enabling the retrieval of sensitive information such as names and emails by manipulating intercepted UI requests. The vulnerability affects HubSpot version 1.29441.
Impact
Exploitation of this vulnerability could lead to unauthorized access to user data, including names and email addresses, increasing the risk of targeted phishing attacks and user enumeration.
Reproduction
To reproduce this vulnerability, authenticate with a non-privileged account and intercept a legitimate request to the Users UI. Replace the request path with the internal options endpoint, including the necessary parameters, and resend the request using the same session cookie. The server will respond with user data that should not be accessible to the caller.
Remediation
HubSpot has acknowledged this vulnerability and applied a server-side fix. No customer action was required.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.