Notion, a widely used platform for productivity and collaboration, is currently facing significant scrutiny from the cybersecurity sector. The platform’s public pages have been found to leak sensitive information about their editors, raising serious privacy concerns.
Exposure of Personal Information
Researchers in the field of cybersecurity have discovered that public Notion pages inadvertently disclose personally identifiable information (PII) of all individuals who have edited them. This includes details such as full names, email addresses, and profile photos. The exposure of such data poses a substantial risk to organizations using Notion for public documentation.
Vulnerability in Notion’s Data Handling
The root of this issue lies in the way Notion manages user information within public workspaces. When a document is made publicly accessible, editor UUIDs are embedded in the page’s block permissions. These identifiers can be accessed without any authentication, making them vulnerable to exploitation by threat actors and open-source intelligence (OSINT) researchers.
With these UUIDs, attackers can send a single unauthenticated POST request to Notion’s internal API endpoint. Due to the lack of access controls for public page data, this endpoint can return complete user profiles associated with these identifiers, including names, emails, and profile photos.
Longstanding Issue and Community Response
This vulnerability has been known for some time. Security researchers reported the issue through the HackerOne bug bounty program in July 2022. However, Notion categorized the report as merely informative and did not address the vulnerability structurally, leaving it unpatched.
The issue has recently gained attention on social media, leading to widespread criticism from developers and cybersecurity experts. The community’s frustration stems from the fact that this vulnerability, ignored for nearly four years, exposes countless indexed pages to potential data scraping.
Notion’s Acknowledgment and Future Plans
In response to the backlash, Notion has acknowledged the problem and is working on a solution. Max Schoening, a representative for Notion, stated that the platform is considering architectural changes to eliminate PII from public-facing endpoints or to implement an email proxy system to protect user data.
Until such measures are in place, organizations using Notion for public resources should exercise caution, as their employee contact information might already be vulnerable to scraping tools. Keeping abreast of developments in this area is crucial for ensuring data security.
Stay informed by following our updates on Google News, LinkedIn, and X. Contact us to share your stories and insights.
