Critical Flaw in Writer AI Exposed Cross-Tenant Data

Cybersecurity experts have identified and disclosed a significant vulnerability in Writer, an enterprise-focused generative AI platform. This flaw, now patched, posed a risk of cross-tenant data breaches, potentially allowing unauthorized access across different organizations.

Dubbed ‘WriteOut’ by the Sand Security Research team, the vulnerability enabled attackers to gain control over any Writer AI organization with just a single link. Exploiting this flaw could grant access to sensitive information, including private conversations, documents, agent configurations, custom models, connectors, and large language model (LLM) credentials. Depending on the victim’s role, attackers might even obtain administrative privileges. Notably, the attacker and victim did not need to belong to the same organization for this exploit to succeed.

The attack method involved an adversary creating an agent within their own Writer account and sharing a preview link. If a logged-in Writer user clicked on this link, their session cookie would be attached to the request. The preview proxy would then forward this cookie into the attacker’s sandbox environment. Malicious code within this sandbox could read and exfiltrate the session token, allowing the attacker to hijack the victim’s account.

By leveraging Writer’s AI-managed sandbox, attackers could collect session tokens from entirely separate companies and impersonate legitimate users without any prior access. This exploitation undermined the shared responsibility model by breaching tenant isolation protections through the platform’s live preview feature.

The attack sequence unfolded as follows:

  • The attacker creates an agent with a live preview and shares its public preview link.
  • A logged-in Writer user opens the link, causing their browser to attach their session cookie to the request.
  • The preview proxy forwards this cookie into the attacker’s sandbox.
  • Malicious code within the sandbox reads and exfiltrates the session token.
  • The attacker replays the token to gain control over the victim’s Writer account.

To execute this, the attacker instructs their malicious agent to run code inside the controlled sandbox, enabling them to read the sandbox process’s memory, retrieve the victim’s session token, and transmit it to a server they control.

Upon responsible disclosure, Writer addressed the issue by preventing session cookies from being forwarded into sandbox previews and isolating them to a separate origin. Despite existing safeguards, such as input-side filtering to block malicious code, attackers bypassed these by instructing the agent to fetch and execute remote scripts, effectively evading detection.

This incident underscores the critical importance of robust session isolation and tenant separation in multi-tenant platforms. Organizations must remain vigilant, ensuring that features like live previews do not inadvertently expose sensitive data. Regular security assessments and prompt patching are essential to mitigate such vulnerabilities and protect user information.