Critical Writer AI flaw let attackers hijack sessions
🔒 Cybersecurity researchers disclosed a critical session isolation vulnerability in Writer, an enterprise generative AI platform, that allowed cross-tenant account takeover via a one-click exploit named WriteOut. An attacker could create an agent, share its live preview link, and when a logged-in user opened the link their session cookie would be forwarded into the attacker’s sandbox and exfiltrated. Writer has patched the issue by isolating session cookies and preventing them from being forwarded into sandbox previews.
