Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants

The Hacker News by The Hacker News
July 7, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 07, 2026AI Security / Vulnerability

Cybersecurity researchers have disclosed details of a now-patched critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that could result in cross-tenant compromise.

The one-click vulnerability has been codenamed WriteOut by the Sand Security Research team.

“An outsider could go from having no access to taking over any Writer AI organization inside industry-leading enterprises, with nothing more than a link,” the cybersecurity company said in a report shared with The Hacker News.

Put differently, the shortcoming could be abused to take over a victim’s Writer account, and use it to access private chats, documents, and other sensitive data related to agents, configurations, private models, connectors, and large language model (LLM) credentials.

Even worse, it could be abused to seize administrative control depending on the victim’s role. An important aspect of the flaw is that the attacker and the victim don’t have to belong to the same organization.

An attacker can create an agent in their own Writer account and share a preview link. That’s all it takes to trigger the vulnerability, essentially making it possible to hijack the account of a victim who clicks on the link and is signed in with their own session.

“An attacker can abuse Writer’s AI managed sandbox to collect sessions belonging to completely separate companies and act inside each of them as a real user, with no prior foothold anywhere,” Sand Security said.

WriteOut also undermines the shared responsibility model as it breaks tenant isolation protections by taking advantage of Writer’s live preview feature that allows users to preview the application via the Writer Framework.

The entire attack chain plays out as follows –

  • An attacker builds an agent with a live preview and shares its public preview link.
  • When a logged-in Writer user opens that link, their browser attaches their Writer session cookie to the request.
  • The preview proxy sends that cookie into the attacker’s sandbox.
  • The code contained within the attacker-controlled sandbox reads the forwarded session token and exfiltrates
  • it.
  • The attacker replays the token and gains control of the victim’s Writer account.

Because an attacker can instruct their pre-built malicious agent to run code inside the controlled, managed sandbox, it makes it possible to read the sandbox process’s memory, recover the exfiltrated session token of the victim, and transmit it to a server they maintain.

Following responsible disclosure, Writer has addressed the issue by preventing the user’s session cookie from being forwarded into sandbox previews entirely, and moving them to an isolated origin.

“Writer wasn’t careless, there were guardrails. Input-side filtering tried to block users from reading environment variables or submitting obviously malicious code,” Sand Security said. “The problem is what those checks looked at: the instruction, not the runtime behavior.”

“Bypassing the guardrail was pretty straightforward: Instead of pasting the payload inline, we simply told the agent to fetch and run a remote script. The guardrail saw a benign ‘download and run’ request, and the actual exploit logic never appeared in the prompt at all.”



Source link

The Hacker News

The Hacker News

Next Post
Atomic Mobile Unveils Atomic Pulse, The IoT Play that Actually Boosts Your Margins

Atomic Mobile Unveils Atomic Pulse, The IoT Play that Actually Boosts Your Margins

Recommended.

The Grossman Group and The Harris Poll Unveil Landmark Study on What Drives – and Derails – Change Success

The Grossman Group and The Harris Poll Unveil Landmark Study on What Drives – and Derails – Change Success

September 16, 2025
Stocks making the biggest premarket moves: Super Micro Computer, Warner Bros. Discovery, Adobe and more

Stocks making the biggest premarket moves: Super Micro Computer, Warner Bros. Discovery, Adobe and more

September 12, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Anaconda Extends AI-Native Application Development With Acquisition

Anaconda Extends AI-Native Application Development With Acquisition

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio