DEV Community

Achin Bansal
Achin Bansal

Posted on • Originally published at gridthegrey.com

Session Token Leak in Writer AI Enables Cross-Tenant Account Takeover

Forensic Summary

A critical vulnerability dubbed WriteOut in the Writer enterprise AI platform allowed attackers to hijack victim session tokens across organisational boundaries using a malicious agent preview link. The flaw exploited Writer's live preview sandbox, which incorrectly forwarded authenticated session cookies into attacker-controlled execution environments. Writer has patched the issue by isolating sandbox origins and stripping session cookies from preview requests.


Read the full technical deep-dive on Grid the Grey: https://gridthegrey.com/posts/session-token-leak-in-writer-ai-enables-cross-tenant-account-takeover/

Top comments (0)