Hidden risk in Notion 3.0 AI agents: Web search tool abuse for data exfiltration
64 points
3 hours ago
| 6 comments
| codeintegrity.ai
| HN
filearts
10 minutes ago
[-]
It is fascinating how similar the prompt construction was to a phishing campaign in terms of characteristics.

  - Authority assertion
  - False urgency
  - Technical legitimacy
  - Security theater
Prompt injection here is like a phishing campaign against an entity with no consciousness or ability to stop and question through self-reflection.
reply
lacoolj
1 hour ago
[-]
This attack was demonstrated a couple years ago, it's not really a new thing.

https://simonwillison.net/2023/Oct/14/multi-modal-prompt-inj...

reply
tadfisher
1 hour ago
[-]
Is anyone working on the instruction/data-conflation problem? We're extremely premature in hooking up LLMs to real data sources and external functions if we can't keep them from following instructions in the data. Notion in particular shows absolutely zero warnings to end users, and encourages them to connect GitHub, GMail, Jira, etc. to the model. At this point it's basically criminal to treat this as a feature of a secure product.
reply
abirag
1 hour ago
[-]
Hey, I’m the author of this exploit. At CodeIntegrity.ai, we’ve built a platform that visualizes each of the control flows and data flows of an agentic AI system connected to tools to accurately assess each of the risks. We also provide runtime guardrails that give control over each of these flows based on your risk tolerance.

Feel free to email me at abi@codeintegrity.ai — happy to share more

reply
greyadept
2 hours ago
[-]
Here’s the link to the article: https://www.codeintegrity.ai/blog/notion
reply
simonw
2 hours ago
[-]
Yeah that's a better link. I have some notes on my blog too: https://simonwillison.net/2025/Sep/19/notion-lethal-trifecta...
reply
gnabgib
2 hours ago
[-]
https://news.ycombinator.com/item?id=45303966

Oh I see someone's updated the URL so now this is just a dupe of that submission (it was formerly linked to a tweet)

reply
chanw
1 hour ago
[-]
This was a great article, because it demonstrated the vuln in a practical way and wasn't overly technical either. Thanks for sharing
reply
nwellinghoff
2 hours ago
[-]
How does a random user get a document in your notion instance?
reply
simonw
5 minutes ago
[-]
In this case by emailing you a PDF with a convincing title that you might want to share with your coworkers - the malicious instructions are hidden as white text on a white background.

There are plenty of other possibilities though, especially once you start booking up MCPs that can see public issue trackers or incoming emails.

reply
memothon
47 minutes ago
[-]
Lots of companies have automations with Zapier etc. to upload things like invoices or other documents directly to notion. Or someone gets emailed a document with an exploit and they upload it.
reply
cobertos
2 hours ago
[-]
People put all kinds of stuff in Notion. People use it as a DB. People catalog things they find online (web clipper). There's collaboration features.

There are many ways

reply
PokestarFan
39 minutes ago
[-]
If I had to describe it, Notion is if somehow managed to combine OneNote and Excel. Of interest is the fact that the "database" system stores each row as a page with the column values other than title stored in a special way. Of course, this also means that it doesn't scale at all, but I have seen some crazy use cases (an example is replacing Jira).
reply
Lalabadie
2 hours ago
[-]
The article gives a PDF document as an example, but depending on how links are opened and stored for Notion agents, threat actors could serve a different web page depending on the crawler/browser agent.

That means any industry-known documentation that seems good for bookmarking can be a good target.

reply