Notion AI is susceptible to data exfiltration via indirect prompt injection due to a vulnerability in which AI document edits are saved before user approval.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

Notion AI contains an unpatched vulnerability that allows data exfiltration through indirect prompt injection. When users upload untrusted documents (like resumes) and ask Notion AI to process them, malicious prompts can manipulate the AI to insert images with URLs containing sensitive data. The vulnerability exploits the fact that AI edits are saved before user approval, causing browsers to make requests that leak data to attacker-controlled servers. Despite responsible disclosure via HackerOne, Notion closed the report as "Not Applicable." The issue affects both Notion AI's main offering and Notion Mail's drafting assistant.

Notion AI: Unpatched Data Exfiltration

Stealing Hiring Tracker Data with a Poisoned Resume

Recommended Remediations for Organizations: