HubSpot postMessage Interception PoC

This PoC demonstrates how an attacker page can intercept postMessages from HubSpot preview iframes.

The preview pages lack frame-ancestors CSP, allowing any origin to frame them.

0
Messages Intercepted
0
Sensitive Data Found
YES
Origin Bypass Works

Attack Configuration

Step 1: Target URL

Enter a HubSpot preview URL to frame (or use default demo)

Step 2: Attacker Origin Simulation

This page simulates being hosted on an attacker domain

Step 3: Actions

Framed HubSpot Preview (Victim)

Intercepted Messages

Attack Log

Vulnerability Chain

  1. Missing frame-ancestors CSP: HubSpot preview pages (*.hubspotpreview-*.com) can be framed by any origin
  2. Wildcard postMessage: Preview iframe sends messages to parent with postMessage(..., "*")
  3. Origin validation bypass: .includes(".hubspot.com") accepts attacker domains like fake.hubspot.com.evil.com
  4. Sensitive data exposure: Content assistance requests/responses contain AI-generated content, user data

Proof of Concept Steps

  1. Host this page on a domain like fake.hubspot.com.evil.com
  2. Get a victim to visit the attacker page while logged into HubSpot
  3. The page frames a HubSpot preview URL (no frame-ancestors blocks it)
  4. When the preview iframe sends postMessages, attacker intercepts them
  5. Attacker can also send messages TO the iframe - origin check passes due to .includes() bypass
  6. Result: Attacker can trigger AI content generation, intercept responses, manipulate inbox connections

Real-World Attack URLs

These HubSpot preview URLs can be framed (replace PORTAL_ID with any valid portal):

https://PORTAL_ID.hubspotpreview-na1.com/_hcms/preview/template/...
https://PORTAL_ID.hubspotpreview-eu1.com/_hcms/preview/template/...
https://PORTAL_ID.hubspotpreviewqa-na1.com/_hcms/preview/template/...

The portalId is public and enumerable. An attacker can target any HubSpot customer.