Oh I see someone's updated the URL so now this is just a dupe of that submission (it was formerly linked to a tweet)
nwellinghoff•1h ago
How does a random user get a document in your notion instance?
cobertos•1h ago
People put all kinds of stuff in Notion. People use it as a DB. People catalog things they find online (web clipper). There's collaboration features.
There are many ways
Lalabadie•1h ago
The article gives a PDF document as an example, but depending on how links are opened and stored for Notion agents, threat actors could serve a different web page depending on the crawler/browser agent.
That means any industry-known documentation that seems good for bookmarking can be a good target.
memothon•8m ago
Lots of companies have automations with Zapier etc. to upload things like invoices or other documents directly to notion. Or someone gets emailed a document with an exploit and they upload it.
lacoolj•1h ago
This attack was demonstrated a couple years ago, it's not really a new thing.
Is anyone working on the instruction/data-conflation problem? We're extremely premature in hooking up LLMs to real data sources and external functions if we can't keep them from following instructions in the data. Notion in particular shows absolutely zero warnings to end users, and encourages them to connect GitHub, GMail, Jira, etc. to the model. At this point it's basically criminal to treat this as a feature of a secure product.
abirag•40m ago
Hey, I’m the author of this exploit. At CodeIntegrity.ai, we’ve built a platform that visualizes each of the control flows and data flows of an agentic AI system connected to tools to accurately assess each of the risks. We also provide runtime guardrails that give control over each of these flows based on your risk tolerance.
Feel free to email me at abi@codeintegrity.ai — happy to share more
chanw•33m ago
This was a great article, because it demonstrated the vuln in a practical way and wasn't overly technical either. Thanks for sharing
greyadept•2h ago
simonw•2h ago
gnabgib•1h ago
Oh I see someone's updated the URL so now this is just a dupe of that submission (it was formerly linked to a tweet)