Notion just released version 3.0, complete with AI agents. Because the system contains Simon Willson’s lethal trifecta, it’s vulnerable to data theft though prompt injection. First, the trifecta:
The lethal trifecta of capabilities is: Access to your private data”, one of the most common purposes of tools in the first place! Exposure to untrusted content”, any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)…
First seen on securityboulevard.com
Jump to article: securityboulevard.com/2025/09/abusing-notions-ai-agent-for-data-theft/
