Researchers disclosed a patched critical vulnerability in Writer, an enterprise generative AI platform, that allowed cross-tenant account compromise through its agent live preview feature. The flaw, named WriteOut by Sand Security, let an attacker send a malicious Writer agent preview link to any logged-in user and capture that victim’s session token when the preview loaded in an attacker-controlled sandbox.
By replaying the stolen session cookie, an attacker could hijack accounts across organizations and access private chats, documents, agents, configurations, private models, connectors, and LLM credentials; administrative takeover was also possible depending on the victim’s privileges. Writer said it fixed the issue by preventing session cookies from being forwarded into sandbox previews and by moving previews to an isolated origin.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Writer remediated the vulnerability by preventing session cookies from being forwarded into sandbox previews and by moving previews to an isolated origin. The flaw had allowed attacker-controlled sandboxes to read, exfiltrate, and replay victim session tokens.
Sand Security Research identified a critical session isolation vulnerability in Writer, dubbed WriteOut, that allowed a malicious agent preview link to exfiltrate a logged-in user's session token and enable cross-tenant account compromise. The issue could expose private chats, documents, agents, configurations, private models, connectors, and LLM credentials, and could also permit administrative takeover depending on the victim's privileges.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.