🎯Basically, Notion pages are leaking personal information of users who edited them.
What Happened
Notion, a popular productivity and collaboration platform, is under fire for a significant privacy issue. Security researchers discovered that public Notion pages expose the personally identifiable information (PII) of anyone who has edited them. This data leak includes full names, email addresses, and profile photos of editors, prompting serious concerns for organizations that utilize the platform for public documentation.
The Flaw
The vulnerability arises from how Notion handles user data within public workspaces. When a document is published to the web, Notion embeds editor UUIDs (Universally Unique Identifiers) directly into the page’s block permissions. These UUIDs are easily accessible without any authentication, allowing attackers to exploit them. By sending a simple unauthenticated POST request to Notion’s internal API endpoint, attackers can retrieve complete user profiles associated with those UUIDs, including sensitive data.
Who's Affected
Organizations using Notion for public-facing resources are at risk. This includes companies that maintain public wikis or open-source project boards. Every employee's email becomes vulnerable to exposure, which could lead to targeted phishing campaigns and social engineering attacks.
What Data Was Exposed
The exposed data includes: This information creates a massive attack surface, particularly for organizations that rely on Notion for collaboration and documentation.
Full names of editors
Email addresses
Profile photos
Official Response and Proposed Mitigations
In response to the backlash, Notion has acknowledged the issue. A representative stated that the platform provides warnings about data visibility when pages are published. However, they recognize that this design poses unacceptable security risks. Notion is now working on a permanent fix, which may involve stripping PII from public-facing endpoints or implementing an email proxy system to mask user addresses.
What You Should Do
Organizations should remain vigilant. Here are some steps to mitigate risks:
Assessment
- 1.Review public Notion pages for sensitive information.
- 2.Consider restricting access to sensitive documents.
Compliance
- 3.Monitor for any unusual activity related to exposed email addresses.
- 4.Stay updated on Notion's upcoming security fixes and implement them as soon as they are available.
🔒 Pro insight: The lack of access controls on public endpoints highlights a critical oversight in Notion's security architecture, necessitating immediate remediation.
