A recent investigation has uncovered a privacy issue in Notion, one of the most popular productivity tools, with tens of millions of people using it worldwide.
According to cybersecurity experts, the pages that users openly publish on the Internet may be leaking personal information of those who have edited them.
The source of this exposure lies in the metadata that accompanies public pages. When a Notion document is shared without restrictions, it not only displays its visible content but may also include internal data related to the collaborators.
Among the accessible information are usernames, profile images, and even email addresses associated with the accounts.
Researchers warn that this behavior is not due to a specific flaw but to how the platform is designed. Although this feature is contemplated in Notion’s functionality, its impact on privacy may go unnoticed by most users, who are unaware that they are exposing more information than they think.
Researchers warn that this behavior is not due to a specific flaw but to how the platform is designed. Although this functionality is contemplated in Notion’s functionality, its impact on privacy may go unnoticed by most users, who are unaware that they are exposing more information than they think.
The situation affects both individual users and organizations that use Notion to create documentation, public pages, or information repositories accessible from the web. Any content published without restrictions could be revealing data about the people who have participated in its creation.
Notion is trying to fix it
Initially, Notion justified itself by saying that users were warned about a possible exposure of these details when publishing pages. But researchers have shown that such warnings did not appear in the publishing interface.
Following public criticism, the company has acknowledged the problem. Notion spokesperson Max Schoening has confirmed that the current behavior is unacceptable and has indicated that they are actively working on a solution.
At this time, the service’s developers are considering some alternatives such as removing personal identification information from public API responses or introducing an email masking system similar to GitHub, according to Cyberpress.
In light of this scenario, experts recommend carefully reviewing which pages are publicly exposed and limiting the sensitive information that is shared. They also advise using differentiated accounts or emails for open collaborations and being aware of the privacy implications before publishing content on this type of platform.
