Writer AI Flaw Let One Link Hijack Any Tenant Account

Get the Tech newsletter
Daily tech — startups, AI labs, chips, the launches that shape the next decade. Free.
- Sand Security Research disclosed a critical, now-patched session isolation vulnerability in Writer's enterprise generative AI platform, codenamed "WriteOut," that enabled cross-tenant account takeover.
- The one-click flaw let an attacker with no prior foothold hijack any Writer organization inside "industry-leading enterprises" using only a shared preview link, according to Sand Security.
- The attack exploited Writer's live preview feature in the Writer Framework: a logged-in victim who clicked an attacker's agent preview link had their session cookie forwarded into the attacker's managed sandbox, where embedded code exfiltrated the token.
- A successful exploit exposed private chats, documents, agent configurations, private models, connectors, LLM credentials, and potentially administrative control within the victim's Writer account, with attacker and victim in different organizations.
- Writer patched the issue by preventing session cookies from being forwarded into sandbox previews entirely and moving them to an isolated origin, following responsible disclosure.
- Sand Security said Writer's guardrails inspected the instruction prompt rather than runtime behavior, and the team bypassed them by telling the agent to fetch and run a remote script so the exploit code never appeared in the input.
Why it matters: Writer positions itself for "industry-leading enterprises," meaning a single misdirected click could expose private chats, private models, and admin credentials across organizational boundaries — and Sand Security showed Writer's defenses were inspecting the wrong layer, leaving session tokens readable from inside the sandbox itself.



