« All posts

WriteOut Flaw in Writer AI Enabled Cross-Tenant Account Takeover

A critical flaw dubbed WriteOut let attackers hijack any Writer AI account by leaking session cookies through the platform's sandbox. Writer has since patched it.

Security researchers at SAND disclosed WriteOut, a critical session-isolation flaw in Writer AI, an enterprise platform for building AI agents. The root cause was that agent live previews were served from the same origin as the main dashboard, so browsers automatically attached the victim's session cookie to preview requests, and Writer's proxy forwarded that cookie into the sandbox — a leftover behavior from a now-deprecated integration.

Exploitation required only a link: an attacker built a malicious agent, shared its public preview, and any authenticated user who opened it — even from an entirely different organization — had their session token exposed to code running inside the attacker's sandbox. Input-side filters only inspected prompt instructions rather than actual runtime behavior, so the check was trivially bypassed by having the agent fetch and execute a remote script instead of embedding the exploit inline.

With the stolen session, an attacker gained full read/write access to the victim's private chats, documents, agent configurations, LLM credentials, connectors, and in some cases administrative settings — a complete cross-tenant account takeover. Writer fixed the issue by moving previews to an isolated origin and eliminating session-cookie forwarding into the sandbox entirely, confirming the token is no longer reachable from within it.

The disclosure underscores that sandbox isolation alone is not a security boundary for AI platforms. Under a shared-responsibility model, both the sandbox provider and the platform must scrutinize credential flows and proxy behavior, not just runtime containment, especially as threat models shift over time.

» SourceHashnode #8