I'm guessing it's not trivial to fix without breaking other things? The weakness seems to be that anyone can turn UUIDs into details like email. But I assume this functionality is necessary for other flows so they can't just turn off all UUID->email/profile look ups. And similarly hiding author UUIDs on posts also isn't trivial.

Conceptually, I agree it should be easy, but I suspect they're stuck with legacy code and behaviors that rely on the current system. Not breaking anything else while fixing this is likely the time consuming part.

This is a rendering artifact, nothing more. If you can tokenize and protect PII on your platform, you can protect PII on your public pages.

    if (metadata.is_public)

Simple fix.

But a user's email isn't always forbidden. The API endpoint which turns UUIDs into a user email presumably also has use cases where you do want to expose the user email. For example, when seeing a list of people you've already invited via email to collaborate with, or listing users within your organization, etc. So a user's email isn't always forbidden PII, it depends on the context.

The trouble is the UUID->email endpoint has no idea what the context is and that endpoint alone can't decide if it should expose email or not. And then public Notion docs publicly expose author UUIDs.

Their mistake was architecting things this way. From day 1 they should have cleanly separated public identifiers from privileged ones. Or have more bespoke endpoints for looking up a UUID's email for each of the narrow contexts in which this is allowed. They didn't do this, and they certainly should have, but fixing this mess is likely a non-trivial amount of work. Though I bet it could be done immediately if they really cared and didn't mind other things breaking.

I'm absolutely not defending their choice to expose emails in this way. They should have addressed this years ago when it was first reported, and I want them shamed for failing to care. But just trying to say it's likely not a one line fix.

A users email should always be forbidden…

It is not a public marker, it’s PII.

Of course they can fix it, come on.

They can easily withold information they put out intenionally.

The whole point of that comment is that it's not that easy. There are potential side effects and consequences that are difficult to architect around.

The fix IS easy. The side effects need to be dealt with accordingly. Why do you defend shit like this?

Except it is.

If you can't easily architect around it, then don't do what you're trying to do.

"Oh I needed to disclose user data in order to make more money" isn't an acceptable excuse.

No one's talking about excuses.

Looks like everyone does talk about excuses though.

> Oh I needed to disclose user data in order to make more money

hmm maybe they should've paywalled?

You literally don’t know that. Add this to the mammoth file titled “HN comments in which the author makes some completely unsubstantiated technical claim”

It literally is easy to fix. For example they could shut down the servers. Which is what they should do immediately if there is no faster fix for a privacy leak like that.