Skip to main content
CybersecurityHacking

Writer AI Flaw Exposes Session Tokens Across Tenants

Person working at desk with laptop and papers in modern office setting.

"An outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link," Sand Security said in a report shared with The Hacker News.

Sand Security's WriteOut finding

Researchers from the Sand Security Research team disclosed a critical session isolation vulnerability they have codenamed WriteOut in Writer, an enterprise generative AI platform. The team supplied a report to The Hacker News and described an exploit chain that could allow a remote attacker to hijack a Writer account simply by sharing a live preview link.

How the live preview feature was abused

WriteOut leveraged Writer's live preview feature, which allows users to preview applications via the Writer Framework. Sand Security says the flaw broke tenant isolation protections and undermined the shared responsibility model: the preview proxy forwarded a user's session cookie into an attacker-controlled sandbox. Because that cookie could be accessed by code running inside the sandbox, an attacker could exfiltrate and replay the token to take over the victim's account.

The attack chain, step by step

  • An attacker creates an agent in their own Writer account and enables a public live preview link.
  • A logged-in Writer user opens that preview link; their browser attaches the Writer session cookie to the request.
  • The preview proxy forwards that cookie into the attacker's sandbox.
  • Code running inside the attacker-controlled sandbox reads the forwarded session token and exfiltrates it.
  • The attacker replays the token and gains control of the victim's Writer account — including potential access to private chats, documents, agents, configurations, private models, connectors, and large language model credentials. Depending on the victim's role, administrative control could be seized.

Sand Security also highlighted that the managed sandbox could be instructed to run code that reads the sandbox process's memory, which made it possible to recover exfiltrated session tokens and transmit them to a server under attacker control. Crucially, the attacker and victim do not need to belong to the same organization for the exploit to succeed.

Why previous guardrails failed

Sand Security noted that Writer had implemented guardrails and input-side filtering intended to block obviously malicious code or attempts to read environment variables. But those checks examined the instruction text rather than runtime behavior. As the researchers explained: "Bypassing the guardrail was pretty straightforward: Instead of pasting the payload inline, we simply told the agent to fetch and run a remote script. The guardrail saw a benign 'download and run' request, and the actual exploit logic never appeared in the prompt at all."

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: The vulnerability shows how forwarding authentication tokens into third-party or sandboxed runtimes can negate tenant isolation. Teams responsible for application security and identity should track whether session cookies or other credentials are exposed to embedded previews or third-party sandboxes.
  • Affected enterprises and procurement leaders: Sand Security's disclosure emphasizes that an attacker could access internal assets — private chats, documents, agent configurations, private models, connectors, and LLM credentials — and potentially escalate to administrative control depending on the victim's role. Procurement and risk teams will want assurances that preview mechanisms and sandboxed runtimes do not expose session tokens.
  • End users and employees: The attack described requires a logged-in Writer user to open a public preview link. That single action, when the preview forwarded a session cookie, was enough to begin the compromise chain described by Sand Security.

Remediation and the immediate outcome

Following responsible disclosure, Writer has patched the issue. The company prevented users' session cookies from being forwarded into sandbox previews and moved those tokens to an isolated origin, closing the described attack vector.

WriteOut is a concise reminder that features meant to improve developer and user experience — in this case, a live preview — can have unintended security consequences when authentication material crosses trust boundaries. Sand Security's report documents a practical bypass of input-side guardrails and a fast path to account takeover; Writer's fix removed the forwarding of session cookies and isolated them from preview contexts. The remaining question in the disclosure is practical and immediate: how many logged-in users clicked attacker-controlled previews before the patch, and what, if any, accounts were compromised prior to remediation?

https://thehackernews.com/2026/07/writer-ai-flaw-could-let-agent-previews.html