Skip to content
AI Security Wire

Published

- 6 min read

By

WriteOut: Cross-Tenant Session Theft via Writer AI Agent Previews

img of WriteOut: Cross-Tenant Session Theft via Writer AI Agent Previews

A critical cross-tenant vulnerability in Writer’s AI agent platform let attackers steal enterprise session tokens with a single shared link. Sand Security Research disclosed the flaw last week, demonstrating that Writer’s agent preview feature forwarded authenticated session cookies directly into an attacker-controlled sandbox, where a malicious agent could intercept and exfiltrate them. The result was full account takeover, no credentials required beyond an initial Writer account of the attacker’s own.

Writer, used by thousands of enterprise customers for AI-powered writing and workflow automation, has patched the issue. There is no evidence of exploitation before disclosure. The mechanics of the attack are worth examining closely: they reflect a vulnerability class that is almost certainly not unique to this platform.

How the Preview Feature Created the Exposure

Writer’s agent builder allows users to create AI agents and share preview links for testing or collaboration. The design intent is straightforward: here is my agent, click this link to see it in action. The implementation introduced a critical flaw.

When a recipient clicked a preview link while authenticated to their own Writer account, the browser sent their session cookie with the preview request. Standard cookie behavior: the browser attaches credentials to requests matching the cookie’s domain and path. Writer’s preview environment ran on the same origin as the main application and was not isolated from the authenticated session.

Inside the preview sandbox, the attacker’s agent could read the HTTP request context. The session cookie arrived attached to the page load. With a prompt instructing the agent to extract and exfiltrate session data, the token was sent to an attacker-controlled server. The attacker replayed it to access the victim’s account.

The access available with a stolen session token was significant. Depending on the victim’s role, it included private conversations with Writer agents, document libraries, configured data connectors, private model configurations, and stored LLM API credentials. For enterprise accounts with administrative users, the token provided control over the entire organization’s Writer environment.

Bypassing Input-Side Filtering

Writer had implemented input-side filtering designed to block malicious code embedded in agent prompts. Researchers found a bypass that took minimal effort.

Rather than embedding the payload directly in the agent’s system prompt, they instructed the agent to fetch and execute a remote script: something functionally equivalent to “retrieve and run the code at [attacker URL].” The filtering examined the agent configuration for known-bad patterns. Fetching external content at runtime was not blocked. The payload, including the session extraction logic, lived on the attacker’s server and was pulled down after the preview loaded.

This is a well-worn bypass for content-based security controls. Filtering what is present in a configuration file cannot stop payloads retrieved at runtime from external infrastructure. The same pattern has appeared in supply chain attacks against package managers and CI/CD pipelines. It reappears here in the context of agent sandboxes.

What the Fix Looks Like

Writer’s remediation addressed the root cause rather than the bypass. Two changes were made.

First, the preview environment was moved to an isolated origin, separate from the authenticated application domain. Cookies scoped to the main application domain do not attach to requests on a different origin. The session token no longer reaches the preview environment, regardless of what the agent running in it attempts to do.

Second, Writer explicitly blocked session cookie forwarding into sandbox contexts. Even on the same origin, the preview feature no longer receives the authenticated session credentials of the visiting user.

This is the correct architectural fix. Isolating preview and sandbox environments on separate origins is a standard mitigation for this vulnerability class, and it is the approach used by other platforms that have worked through similar issues. The fact that it was not in place initially reflects how quickly the surface area of AI platforms expands when collaboration and sharing features are added.

The Broader Pattern

Cross-tenant isolation failures in AI platforms are not a new class of vulnerability, but the risk surface is expanding. The attack here required a Writer account, a preview feature, and a victim who clicked a link. None of these are unusual conditions in an enterprise environment where sharing AI agent previews is a routine workflow.

Several factors make AI platforms particularly susceptible to this category of issue.

The preview and sandbox model is standard. AI platforms need to render agent output somewhere, and doing so in an iframe or embedded context on the same origin is the path of least resistance. The shared-origin problem follows.

Agent capabilities are broad. Unlike a static preview that displays text, an AI agent can make HTTP requests, read page context, access browser APIs, and communicate with external servers. A rendering environment that passively displays content is less dangerous than one where the rendered content can autonomously exfiltrate what it finds.

Development moves fast. Writer shipped the preview feature as part of a collaboration workflow. The session cookie isolation requirement was not caught before deployment. This is not a failure unique to Writer; it is the predictable outcome of adding collaboration features to authenticated platforms under speed pressure.

The WriteOut disclosure followed responsible disclosure practices. Sand Security notified Writer, coordinated on timing, and published after the fix was confirmed. The disclosure included enough technical detail to let other vendors audit their own preview and sandbox implementations for the same pattern.

Defensive Guidance

For security teams using AI platforms in enterprise environments:

Audit session isolation for all sandbox and preview features. Any feature that renders untrusted content while the user is authenticated to the application is worth examining. The question is whether authentication credentials are forwarded into the rendering context. A quick test: load a vendor-provided agent preview or sandbox as an authenticated user while watching network traffic. If session cookies are attached to requests going to attacker-controllable content, the isolation is insufficient.

Treat AI agent collaboration features as high-risk workflows. Sharing preview links should trigger the same scepticism as clicking a link in an unsolicited email. In enterprise deployments, consider restricting who can generate shareable preview links to reduce the social engineering surface.

Ask vendors about cross-tenant isolation architecture before deployment. This is a reasonable procurement question for any AI platform with multi-tenancy and collaboration features. What is the isolation model between tenants? Are preview environments on a separate origin? Are session credentials scoped to prevent access from sandbox contexts?

Monitor for anomalous session activity from known-good IPs. Session token theft does not require the attacker’s IP to be unusual. But the behavioural pattern after theft often is: access to sensitive configuration objects, data exports, or connector credential views that are inconsistent with normal use. Session activity anomaly detection catches this pattern when signature-based approaches cannot.

Writer confirmed no in-the-wild exploitation prior to the Sand Security disclosure. The fix is deployed. But the vulnerability class will appear again in other platforms as preview and sandbox features continue to be added to enterprise AI tools at pace.

References

Frequently Asked Questions

What is the WriteOut vulnerability and who found it?
WriteOut is a critical cross-tenant vulnerability in Writer's AI agent preview feature, discovered and disclosed by Sand Security Research. An attacker with any Writer account could generate a malicious preview link and use it to steal the session token of any authenticated user who clicked the link, achieving full account takeover without any additional interaction.
How did the WriteOut attack bypass Writer's input filtering?
Writer had input-side filtering to block malicious code embedded directly in agent prompts. Researchers bypassed this by instructing the agent to 'fetch and run a remote script' rather than embedding the payload inline. The sandbox fetched and executed attacker-controlled code from an external server, sidestepping the filter entirely.
How should security teams evaluate enterprise AI platforms for similar cross-tenant isolation failures?
Focus on any feature that renders content in a shared context while forwarding authentication credentials. Agent preview features, shared workspaces, and collaborative editing modes are the highest-risk areas. Specifically test whether session cookies or bearer tokens are sent to sandbox or preview environments, whether previews load on the same origin as the authenticated application, and whether the vendor has published a cross-tenant isolation architecture. SameSite=Strict cookie attributes and preview isolation on a separate origin are the standard mitigations.