Hidden risk in Notion 3.0 AI agents: Web search tool abuse for data exfiltration (twitter.com)

Researchers are reporting a "Lethal Trifecta" attack that chains three distinct weaknesses to trick Notion AI agents into exfiltrating private data. Although the full article text wasn’t provided, the name and context indicate a staged exploit that first injects malicious instructions into agent prompts, leverages excessive agent/connecter permissions or tokens, and then channels harvested content out via a network/connector path—allowing attackers to pull sensitive workspace documents, messages, or credentials without obvious user interaction. This is significant because AI agents often hold broad, contextual access to corporate and personal data and can interact with external services. The technical takeaway is that attacks combining prompt-injection, improper permission scoping (OAuth/token misuse), and insecure egress/connector behavior (SSRF, open redirects, or unmanaged webhooks) can bypass traditional app-layer defenses. Immediate mitigations include tightening agent scopes and OAuth grants, introducing strict input sanitation and model-level instruction constraints, enforcing egress/network controls for connectors, logging and alerting on unusual agent actions, rotating tokens, and applying vendor patches. For teams running Notion AI agents or similar assistants, assume privilege escalation via chained flaws is feasible and prioritize least-privilege configuration, connector vetting, and end‑to‑end monitoring.