Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

July 12, 2026

What Changes When Your Software Supply Chain Includes AI Writing Your Code?

July 12, 2026

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

July 12, 2026
Facebook X (Twitter) Instagram
Sunday, July 12
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants
News

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

Team-CWDBy Team-CWDJuly 12, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise.

The one-click vulnerability has been codenamed WriteOut by the Sand Security Research team.

“An outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link,” the cybersecurity company said in a report shared with The Hacker News.

Put differently, the shortcoming could be abused to take over a victim’s Writer account, and use it to access private chats, documents, and other sensitive data related to agents, configurations, private models, connectors, and large language model (LLM) credentials.

Even worse, it could be abused to seize administrative control depending on the victim’s role. An important aspect of the flaw is that the attacker and the victim don’t have to belong to the same organization.

An attacker can create an agent in their own Writer account and share a preview link. That’s all it takes to trigger the vulnerability, essentially making it possible to hijack the account of a victim who clicks on the link and is signed in with their own session.

“An attacker can abuse Writer’s AI managed sandbox to collect sessions belonging to completely separate companies and act inside each of them as a real user, with no prior foothold anywhere,” Sand Security said.

WriteOut also undermines the shared responsibility model as it breaks tenant isolation protections by taking advantage of Writer’s live preview feature that allows users to preview the application via the Writer Framework.

The entire attack chain plays out as follows –

  • An attacker builds an agent with a live preview and shares its public preview link.
  • When a logged-in Writer user opens that link, their browser attaches their Writer session cookie to the request.
  • The preview proxy sends that cookie into the attacker’s sandbox.
  • The code contained within the attacker-controlled sandbox reads the forwarded session token and exfiltrates
  • it.
  • The attacker replays the token and gains control of the victim’s Writer account.

Because an attacker can instruct their pre-built malicious agent to run code inside the controlled, managed sandbox, it makes it possible to read the sandbox process’s memory, recover the exfiltrated session token of the victim, and transmit it to a server they maintain.

Following responsible disclosure, Writer has addressed the issue by preventing the user’s session cookie from being forwarded into sandbox previews entirely, and moving them to an isolated origin.

“Writer wasn’t careless, there were guardrails. Input-side filtering tried to block users from reading environment variables or submitting obviously malicious code,” Sand Security said. “The problem is what those checks looked at: the instruction, not the runtime behavior.”

“Bypassing the guardrail was pretty straightforward: Instead of pasting the payload inline, we simply told the agent to fetch and run a remote script. The guardrail saw a benign ‘download and run’ request, and the actual exploit logic never appeared in the prompt at all.”

Update

Following the publication of the story, Writer said it moved quickly to confirm the vulnerability and implement a fix to remove the session credentials from sandbox previews entirely and migrate previews to an isolated origin so that the session token is no longer reachable from inside the sandbox. 

“Enterprise-grade security is a core commitment for Writer, not a checkbox,” a spokesperson for Writer told The Hacker News. “This was a vulnerability that we fixed within 24 hours of notification in May 2026. No customer data was compromised as a result of this vulnerability, and we have no evidence of malicious exploitation.”

“Our customers trust us with their most sensitive workflows, data, and infrastructure, and we take that responsibility seriously. We will continue to invest in the controls, architecture reviews, and third-party partnerships that protect that trust.”

(The story was updated after publication on July 9, 2026, to include a response from Writer.)



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleWhat Changes When Your Software Supply Chain Includes AI Writing Your Code?
Team-CWD
  • Website

Related Posts

News

What Changes When Your Software Supply Chain Includes AI Writing Your Code?

July 12, 2026
News

Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities

July 12, 2026
News

CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware

July 11, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why that next data breach alert could be a trap

April 18, 2026

The hidden risks of browser extensions – and how to avoid them

September 13, 2025

Chronology of a Skype attack

February 5, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.