Patched Writer AI Flaw Could Expose Session Tokens Through Agent Preview Links
Researchers have disclosed a now-fixed vulnerability in Writer, an enterprise generative AI platform, that could have allowed attackers to cross tenant boundaries and take over user accounts with only...
Researchers have disclosed a now-fixed vulnerability in Writer, an enterprise generative AI platform, that could have allowed attackers to cross tenant boundaries and take over user accounts with only a shared preview link.
The issue, tracked by Sand Security as WriteOut, affected Writer’s live agent preview feature. According to the researchers, an attacker could build an agent in their own account, publish a preview, and wait for a logged-in victim to open the link. If the victim was already authenticated to Writer, their browser could send session information into the preview environment.
Once that happened, code running inside the attacker-controlled sandbox could recover the forwarded session token and send it back to the attacker. Replaying the token would then let the attacker act as the victim inside Writer, potentially reading private chats, documents, agent settings, connectors, model credentials, and other sensitive data.
Why the flaw mattered
Sand Security said the weakness was especially serious because the attacker and victim did not need to belong to the same organization. In some cases, the compromised account could even belong to an administrator, depending on the victim’s permissions. The researchers described the problem as a failure of tenant isolation in the platform’s preview flow.
- Attackers could trigger the issue with a public preview link.
- The victim did not need to install anything or enter credentials.
- Session tokens could be reused to access private Workspace data.
- The flaw could affect separate companies, not just users within one tenant.
The company said Writer has since addressed the problem by stopping session cookies from being passed into sandbox previews and moving previews to an isolated origin.
Sand Security also noted that existing safeguards were not enough to stop the attack. Input checks were aimed at blocking obviously malicious prompts or environment-variable access, but the researchers bypassed those controls by instructing the agent to fetch and run code from a remote location instead of placing the exploit directly in the prompt.
The disclosure adds to growing concerns about security risks in AI agent platforms, where preview and sandbox features can become a path to token theft if isolation is not enforced correctly.
