Notion’s new 3.0 version is updated with quite interesting changesalso introducing the fashionable now, Artificial Intelligence Agents that can execute complex tasks autonomously. However, it also opens the door to a critical vulnerability. And it is that those who come with not very good intentions can take advantage of a simpler technique than it seems to extract and send confidential data to external servers with the help of those same AI agents.
The background problem. As they point out from Codeintegritymodern AI agents combine three elements that make them a potential threat: ability to use tools on their own, autonomous planning of actions and access to sensitive corporate information. In this way, when an attacker manages to manipulate the agent’s instructions, he can execute chains of complex actions that can end up dodging traditional security controls of companies.
Image: Codeintegrity
How the attack works. Through article Published by Codeintegrity, its researchers have shown that the process can end up being very simple. First, the attacker creates an apparently harmless PDF document. However, within the archive hide a text with malicious instructions that deceive the agent of the “important routine task” of the internal system.
An invisible trap. The malicious text uses psychological manipulation techniques, presenting itself as a critical task that must be completed to avoid “consequences” in the company, also using technical terminology to seem legitimate and implying that the action is “pre -authorized” by safety. When the user asks the notion agent to summarize the document, he reads the hidden instructions and interprets them as genuine orders of the system.
Data leakage. Once activated, the agent seeks confidential information in the user’s notion pages, as the Prompt had sent it, and concatena in a malicious URL previously described. Then use the system web search tool to send a query that contains all that sensitive information to a server controlled by the attacker, where the data is recorded.
Scope of the problem. The most worrying thing is that this vulnerability It is not limited to PDF files Uploaded manually. Notion 3.0 integrates connectors with multiple business services such as Github, Gmail or Gira, any of which could be used to inject malicious instructions without the user suspect. Even advanced AI models such as Claude Sonnet 4considered among the safest in the market, have proven to be susceptible to this type of attack.
What does it mean for companies. The techniques of ‘Prompt Injection‘They can question the security of any company that manipulates or manages diverse AI agents, since they can execute and plan actions autonomously. Therefore, companies that embrace AI, must also rethink their security protocols and establish new specific controls to tackle these types of problems.
Cover image | Zan Lazarevic and generated by AI with Gemini
GIPHY App Key not set. Please check settings