Notion Public Pages Leak Editor Profile Photos and Emails

Notion, a widely used productivity and collaboration platform, faces intense scrutiny from the cybersecurity community following reports of a significant data exposure. Publicly accessible Notion pages have inadvertently leaked editor profile photos and email addresses, raising considerable privacy concerns for users and organizations alike.

Security researchers have revealed that public Notion pages silently expose the personally identifiable information (PII) of anyone who has ever edited them.

This data leak includes full names, email addresses, and profile photos, raising significant privacy concerns for organizations that rely on the platform for public documentation.

Notion Pages Exposes User Data

The underlying vulnerability stems from how Notion processes user data within public workspaces.

When a document is published to the web, the platform embeds editor UUIDs (Universally Unique Identifiers) directly into the page’s block permissions.

Threat actors and open-source intelligence (OSINT) researchers discovered that these internal identifiers are readily accessible in the page data without requiring any authentication, active session cookies, or security tokens.

Once these UUIDs are harvested, an attacker can feed them into a single unauthenticated POST request to Notion’s internal API endpoint: /api/v3/syncRecordValuesMain.

Because this endpoint does not enforce access controls for public page data, it returns the complete user profiles associated with those UUIDs.

Consequently, a public company wiki or open-source project board can inadvertently expose the exact contact details of every employee or contributor who interacts with the document.

The most controversial aspect of this exposure is its long, unresolved timeline. According to security researchers, this exact API behavior was responsibly disclosed to Notion through the HackerOne bug bounty program in July 2022.

At the time, Notion’s security team triaged the submission as merely “informative”. It closed the report as out of scope without implementing a structural patch.

The issue recently resurfaced on X, sparking outrage among developers and cybersecurity professionals. Many paying subscribers expressed extreme frustration with the platform’s perceived negligence, noting that an issue ignored for nearly 4 years leaves thousands of indexable pages vulnerable to scraping.

Security experts emphasized that this exposed data creates a massive attack surface for targeted phishing campaigns and social engineering attacks against corporate targets.

Official Response and Proposed Mitigations

Following the intense public backlash, Notion has formally acknowledged the problem. Notion representative Max Schoening addressed the community’s concerns, noting that the platform provides user warnings about data visibility when a page is published to the web.

However, recognizing that this design choice poses unacceptable security risks, Notion is now working on a permanent architectural fix.

The engineering team plans to either strip PII completely from public-facing endpoints or implement an email proxy system to mask user addresses.

In the meantime, organizations using Notion for public-facing resources should remain vigilant, as their employee contact information may already be indexed and accessible to automated scraping tools.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.