Cybersecurity experts have revealed a significant security flaw in the Writer AI platform, a widely used enterprise generative artificial intelligence tool. This vulnerability, which has since been resolved, posed a serious threat by potentially allowing unauthorized access across different tenant accounts.
Details of the WriteOut Vulnerability
The vulnerability, identified as WriteOut by Sand Security Research, was a one-click flaw that could enable an attacker to gain access to any Writer AI organization through a simple link. This breach could have led to unauthorized access to sensitive information such as private conversations, documents, and large language model credentials.
Attackers could exploit this flaw to take over administrative roles without needing to belong to the same organization as the victim. By creating a malicious agent within their own Writer account and sharing a preview link, attackers could hijack a victim’s session upon clicking the link, provided the victim was logged into their account.
Implications for Tenant Isolation and Security
The vulnerability compromised the shared responsibility model by bypassing tenant isolation protections. This was achieved by exploiting Writer’s live preview feature, which allowed users to see application previews through the Writer Framework. As a result, an attacker could act as a legitimate user within different organizations.
The attack sequence involved an attacker creating an agent with a public preview link. When a Writer user opened this link while logged in, their session cookie was inadvertently sent to the attacker’s environment, allowing the attacker to replay the session and gain control over the account.
Resolution and Preventive Measures
Following responsible disclosure, Writer addressed the security issue by ensuring session cookies are not forwarded into sandbox previews and relocating them to an isolated origin. This prevents unauthorized access to session tokens during previews.
Despite the presence of security measures, such as input-side filtering to block malicious code, the vulnerability persisted due to a focus on instructions rather than runtime behavior. Attackers circumvented these measures by directing agents to execute remote scripts, avoiding detection by the existing safeguards.
In summary, the WriteOut vulnerability highlighted critical security challenges in AI platforms, emphasizing the need for robust protection mechanisms to prevent future breaches. As AI technologies continue to evolve, enterprises must remain vigilant in securing their systems against potential threats.
