Notion, a popular platform for productivity and collaboration, is facing scrutiny after security researchers discovered a significant vulnerability. Public Notion pages are leaking personally identifiable information (PII) of users who have edited them, including full names, email addresses, and profile photos. This raises privacy concerns for organizations using Notion for public documentation.

The vulnerability is rooted in how Notion handles user data in public workspaces. When a document is published online, Notion embeds editor UUIDs (Universally Unique Identifiers) in the page's block permissions. These identifiers are accessible without authentication, allowing attackers to retrieve user profiles through a single unauthenticated POST request to Notion's internal API endpoint. This lack of access control means that public pages can inadvertently expose the contact details of all editors.

The issue has been known since July 2022 when it was reported to Notion via the HackerOne bug bounty program. However, Notion's security team initially classified the report as 'informative' and closed it without implementing a fix. The problem resurfaced recently, causing frustration among developers and cybersecurity professionals who are concerned about the potential for phishing and social engineering attacks.

In response to the backlash, Notion has acknowledged the problem and is working on a permanent fix. The company plans to either remove PII from public endpoints or implement an email proxy system to protect user information. Until these measures are in place, organizations should be cautious about using Notion for public-facing resources.

To mitigate risks, organizations should review their use of public Notion pages and consider restricting access to sensitive information. Staying informed about updates from Notion and implementing additional security measures can help protect against potential data exposure.

Source: https://x.com/i/trending/2045988234212024677