Security researchers have revealed that public Notion pages silently expose the personally identifiable information (PII) of anyone who has ever edited them.
This data leak includes full names, email addresses, and profile photos, raising significant privacy concerns for organizations that rely on the platform for public documentation.
The underlying vulnerability stems from how Notion processes user data within public workspaces.
When a document is published to the web, the platform embeds editor UUIDs (Universally Unique Identifiers) directly into the page’s block permissions.
Threat actors and open-source intelligence (OSINT) researchers discovered that these internal identifiers are readily accessible in the page data without requiring any authentication, active session cookies, or security tokens.
Once these UUIDs are harvested, an attacker can feed them into a single unauthenticated POST request to Notion’s internal API endpoint: /api/v3/syncRecordValuesMain.
Because this endpoint does not enforce access controls for public page data, it returns the complete user profiles associated with those UUIDs.
Consequently, a public company wiki or open-source project board can inadvertently expose the exact contact details of every employee or contributor who interacts with the document.
The most controversial aspect of this exposure is its long, unresolved timeline. According to security researchers, this exact API behavior was responsibly disclosed to Notion through the HackerOne bug bounty program in July 2022.
At the time, Notion’s security team triaged the submission as merely “informative”. It closed the report as out of scope without implementing a structural patch.
The issue recently resurfaced on X, sparking outrage among developers and cybersecurity professionals. Many paying subscribers expressed extreme frustration with the platform’s perceived negligence, noting that an issue ignored for nearly 4 years leaves thousands of indexable pages vulnerable to scraping.
Security experts emphasized that this exposed data creates a massive attack surface for targeted phishing campaigns and social engineering attacks against corporate targets.
Following the intense public backlash, Notion has formally acknowledged the problem. Notion representative Max Schoening addressed the community’s concerns, noting that the platform provides user warnings about data visibility when a page is published to the web.
However, recognizing that this design choice poses unacceptable security risks, Notion is now working on a permanent architectural fix.
The engineering team plans to either strip PII completely from public-facing endpoints or implement an email proxy system to mask user addresses.
In the meantime, organizations using Notion for public-facing resources should remain vigilant, as their employee contact information may already be indexed and accessible to automated scraping tools.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Public Notion Pages Leaks Profile Photos and Email address of Editors appeared first on Cyber Security News.
Images showing the long-awaited LEGO Lord of the Rings Minas Tirith set have leaked online,…
Bungie’s limited-edition Marathon DualSense controller has dropped in price far quicker than expected, and it’s…
Chief Meteorologist Ahmad Bajjey in CBS Detroit’s new AR/VR studio CBS O&O WWJ Detroit (CBS…
The post EVS Launches Choreon Robotic Control Solution appeared first on TV News Check.
The post Heidi Steffen To Become President Of TitanTV appeared first on TV News Check.
The post Refreshed NAB Show Reflects An Industry In Flux appeared first on TV News…
This website uses cookies.