I think I might have missed something, having tried to recreate this in my own Notion, this searches the URL but doesn't actually send data to that URL.. right? Where's the exfil? (Apart from to the search service)
I think I might have missed something, having tried to recreate this in my own Notion, this searches the URL but doesn't actually send data to that URL.. right? Where's the exfil? (Apart from to the search service)
I just tested Notion's AI bot by asking it to make me a new page with the contents of a URL, then confirmed from my server logs that Notion accessed that URL.
It used user-agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/139.0.0.0 Safari/537.36 and connected from an IPv6 address of 2600:1f14:1c1:bf05:50ec::13
I think the idea was to trigger a request to the specified URL by passing it as the query string. But the search tool doesn't appear to work that way. Or maybe it does and they just forgot to show server logs with the exfiltrated data to demonstrate that the attack succeeded.