HubSpot OAuth Token
ID |
hubspot_token |
Severity |
high |
Vendor |
HubSpot |
Family |
OAuth Token |
Description
HubSpot is a CRM platform that connects everything scaling companies need to deliver a best-in-class customer experience into one place.
Hubspot provides an API with fine-grained OAuth Access Tokens, named as Private apps.
Security
Any hardcoded HubSpot Access Token is a potential secret reported by this detector.
Accidentally checking-in the token to source control repositories could compromise your HubSpot account, allowing external actors to perform the operations the access token permits. As typically the API is used for integration with external systems, this may open the door for access to customer data, website defacements,
Examples
const hubspotClient = new hubspot.Client({ accessToken: 'pat-eu1-b746129c-7a34-481d-0375-4b84d4e5baf5' });Mitigation / Fix
-
Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Rotation for compromised tokens can be done in the HubSpot dashboard. See Rotate your access token.
-
Remove the access token from the source code or committed configuration file. You need to pass the token using more secure ways, like using a secret vault, reading from a file not under version control, from environment variables…
|
You should consider any sensitive data in commits with secrets as compromised. Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories. |