Damage Control

Notion AI Pre-Approval Edits Enable Prompt-Injection Data Exfiltration

Prompt InjectionData PrivacyAI SafetyCorporate AccountabilityVulnerability Research
Added Jan 8
Link39
Article: NegativeCommunity: NegativeConsensus
Notion AI Pre-Approval Edits Enable Prompt-Injection Data Exfiltration

Notion AI applies AI-driven edits before user approval, allowing prompt-injected content to exfiltrate data by inserting external image URLs that the browser fetches immediately. The attack was shown using a hidden-injection resume to leak hiring tracker details, and a related exposure exists in Notion Mail’s drafting assistant. While organizations can reduce risk with settings and practices, the authors argue Notion must implement stronger, platform-level defenses; their disclosure was closed as Not Applicable and then publicly released.

Key Points

  • Notion AI saves and renders AI edits before user approval, enabling indirect prompt injection to exfiltrate data via external image requests.
  • A poisoned resume instructs Notion AI to embed hiring-tracker contents into an attacker-controlled image URL; the browser fetch leaks the data regardless of user consent.
  • Notion’s LLM-based document scanning can be bypassed; injections can reside in uploads, web pages, Notion pages, or connected data sources.
  • Notion Mail’s drafting assistant also renders external Markdown images in drafts, creating a narrower but real exfiltration path.
  • Mitigations for users/orgs reduce risk but don’t eliminate it; the authors recommend Notion block external image rendering in AI outputs, enforce strong CSP, and fix CDN redirect issues.

Sentiment

The community overwhelmingly agrees with the article's findings and is critical of Notion's handling of the vulnerability. There is strong consensus that prompt injection represents a fundamental security challenge for LLM-powered tools, and frustration that Notion dismissed a responsibly disclosed vulnerability. Some commenters express fatalism about the broader impossibility of securing LLMs, while others identify concrete mitigations (like blocking external image rendering) that Notion could implement. The tone is concerned and critical, with very little defense of Notion's position.

In Agreement

  • Prompt injection is a fundamental, structural problem in LLMs that cannot be fully patched — mixing trusted and untrusted input is inherent to how they work
  • Notion's dismissal of the responsible disclosure as 'Not Applicable' is unacceptable and reflects a pattern of poor security practices
  • The browser rendering external image URLs before user approval is the core exploitable flaw and should be blocked
  • LLM outputs must always be treated as untrusted, and any external communication (web requests, emails, image fetches) should be treated as a potential data leak
  • This is an instance of Simon Willison's 'Lethal Trifecta' — private data access plus untrusted input plus external communication equals unsafe

Opposed

  • Any data stored in consumer-grade SaaS like Notion is already effectively 'exfiltrated' — the vulnerability is not meaningfully different from the baseline risk of using these services
  • The problem is not Notion-specific but a fundamental limitation of all LLM-based systems, so singling out Notion is somewhat unfair
  • Simply treating the LLM as having the same permissions as the user would solve many of these issues (though this was rebutted as insufficient since LLMs cannot be held accountable)