Exposure of confidential secret or token HubSpot private app API token

Description

The response body contains content that matches the pattern of a HubSpot private app API token was identified. Private apps allow you to use HubSpot’s APIs to access specific data from your HubSpot account and can be restricted by setting specific scopes. A malicious actor with access to this token can call API endpoints with the same levels as those set in the scope of the application. This could be anywhere from only reading marketing campaigns to accessing user and account information and sending emails. Exposing this value could allow attackers to gain access to all resources granted by this token.

Remediation

For general guidance on handling security incidents with regards to leaked keys, please see the GitLab documentation on Credential exposure to the internet.

To rotate a private app API token:

• Sign in to your HubSpot account at https://app.hubspot.com/
• In the left-hand menu, hover over the database icon and select “Integrations”
• Find the private app that has the identified token and select its name
• Select the “Auth” tab in the top of the page
• In the “Access token” section of the page, select “Rotate”
• Select “Rotate and expire this token now” when prompted
• Select “Rotate now” in the “Rotate access token now?” dialog

For more information, please see HubSpot’s documentation on private apps

Details

Links

• CWE