🔴 Critical | Source: The Hacker News
A critical vulnerability in Writer, an enterprise AI platform, allowed attackers to leak session tokens across different customer tenants simply by tricking a user into clicking a malicious link. Dubbed ‘WriteOut’ by Sand Security Research, the flaw meant a complete outsider could gain full access to any Writer tenant without prior credentials. The vulnerability has since been patched by Writer.
Security Architect’s Take: If your organisation uses Writer, confirm with your vendor that the patch has been applied to your tenant and review recent session and access logs for any anomalous cross-tenant activity. More broadly, this is a prompt reminder to assess any enterprise AI platforms in your stack for session isolation controls and enforce short-lived, scoped session tokens wherever possible.
Original advisory: Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants