Security Researchers Expose Critical Session Hijacking Vulnerability in Writer AI Platform
Key Takeaways
- ▸WriteOut enabled one-click account takeover by exploiting Writer AI's sandbox as a vector for session theft, not just code execution
- ▸The vulnerability crossed organizational boundaries—attackers with basic accounts could target and compromise users across separate enterprises
- ▸Writer's sandbox mechanism, marketed as a security boundary, became the attack surface itself, undermining the assumption that isolated execution equals contained risk
Summary
Security researchers from SAND Security discovered WriteOut, a critical cross-tenant vulnerability in Writer AI that allowed attackers to hijack user sessions and gain unauthorized access to entire organizations. The flaw exploited Writer's AI sandbox mechanism—the very containment layer designed to isolate untrusted code—enabling an attacker to steal session credentials and impersonate any victim without prior account access. An attacker could share a malicious agent via a public link; when a victim from a target organization opened it while logged in, their session would be compromised, granting the attacker full access to private data, sensitive documents, credentials, system prompts, agent configurations, and administrative controls depending on the victim's role.
The vulnerability was particularly dangerous because it crossed organizational boundaries: attackers could create throwaway accounts to build and distribute malicious agents that would harvest sessions from high-value targets across Fortune 500 companies. Writer's customer base spans banking, insurance, pharmaceuticals, retail, and technology sectors—all industries handling highly sensitive data. Writer AI's security team responded with speed and professionalism, collaborating with the researchers to implement proper session isolation mitigation. The platform has since been patched, eliminating the risk for current users.
- Responsible disclosure and rapid mitigation by Writer's security team prevented widespread exploitation of a vulnerability affecting thousands of enterprise users
Editorial Opinion
This disclosure shatters a comforting illusion: that 'it runs in a sandbox' is sufficient security assurance for AI platforms. Sandboxes are runtime containers, not security boundaries. Enterprises must immediately fold AI sandbox mechanisms into their threat models and third-party risk assessments, treating them as potential attack surfaces rather than impenetrable walls. The incident underscores that AI platform security requires the same rigor as any other SaaS infrastructure—isolation alone is not enough.



