They called it WriteOut. And it could have blown open every tenant on the Writer AI platform.
Cybersecurity researchers at Sand Security have revealed the details of a critical vulnerability in Writer, an enterprise generative AI platform. The flaw, now patched, allowed a one-click attack that could leak session tokens across tenants — effectively letting an outsider hijack any agent preview without ever logging in.
The bug is being tracked as WriteOut. And it’s a textbook case of what happens when session isolation isn’t bulletproof.
What exactly was the Writer AI flaw?
The vulnerability lived inside Writer’s agent preview feature — the sandbox where users test and iterate on AI agents before deploying them. Under the hood, each tenant is supposed to be walled off from every other tenant. That’s basic multi-tenant security: your data, your sessions, your agents — all isolated.
WriteOut broke that wall.
Sand Security found that a malicious actor could craft a specially designed link. Click it, and the victim’s browser would execute a cross-tenant request that leaked their session token. From there, the attacker could impersonate the victim inside Writer, accessing their agents, their prompts, their history — everything.
No credentials needed. No brute force. Just one click.
Cross-tenant compromise: the real danger
Cross-tenant vulnerabilities are the nightmare scenario for any SaaS platform. They mean that a breach at Company A can spill directly into Company B’s data — without either company doing anything wrong.
In Writer’s case, the agent preview feature was the entry point. The platform uses session tokens to keep users authenticated as they move between features. But the token validation logic didn’t properly enforce tenant boundaries during preview requests. A request from Tenant A could include a token from Tenant B, and the server would accept it.
That’s the kind of bug that keeps CISOs up at night.
Sand Security’s team demonstrated the attack with a proof-of-concept they called WriteOut. It required no authentication from the attacker. Just a link, a victim, and a click.
How Writer fixed the session isolation vulnerability
Writer patched the flaw after Sand Security disclosed it responsibly. The fix involved tightening session token validation to ensure that tokens are scoped to their originating tenant. Now, a token from Tenant A simply won’t work when presented to Tenant B’s resources.
The company also added additional checks on the server side to verify tenant identity on every request involving agent previews. It’s the kind of layered defense that should have been there from the start — but at least it’s there now.
Writer has not disclosed whether the vulnerability was ever exploited in the wild. But given the nature of the bug — a cross-tenant session leak — the potential blast radius was enormous. If an attacker had discovered WriteOut before Sand Security did, they could have silently harvested tokens from any Writer user who clicked a malicious link.
That’s the quiet danger of session isolation flaws: no alarms, no unusual login activity. Just a stolen token and a ghost in the machine.
What this means for enterprise AI security
Writer is far from alone. Enterprise AI platforms are being built at breakneck speed, and security often takes a backseat to shipping features. Agent previews, custom model tuning, and collaborative workspaces all introduce new surfaces for cross-tenant attacks.
The WriteOut vulnerability is a reminder that session isolation isn’t a checkbox — it’s a continuous engineering discipline. Every new feature that touches authentication needs to be audited, not just for its intended behavior, but for what happens when someone sends unexpected data across tenant boundaries.
For enterprises using AI platforms, the lesson is clear: don’t assume your data is walled off just because the marketing materials say so. Ask your vendors about their session isolation architecture. Ask about their bug bounty program. And if they can’t give you a straight answer, that’s an answer in itself.
Key takeaways
- One-click exploitation: WriteOut required only a single click from a victim to leak their session token.
- Cross-tenant scope: The flaw broke tenant isolation, meaning data from one organization could be accessed by an attacker posing as a user from another.
- No authentication needed: The attacker didn’t need valid credentials — just a crafted link and a victim.
- Patched responsibly: Sand Security disclosed the bug to Writer, which fixed it before public disclosure.
For more on securing generative AI workflows, check out our guide on AI platform security best practices and how to audit session token handling in multi-tenant SaaS apps.
Writer has since confirmed the patch is complete and no customer data was compromised. But WriteOut will go down as a near-miss — one that could have exposed every agent, every prompt, and every session on the platform.