WriteOut shows why AI sandboxes do not replace boundaries
July 9, 2026
Sand Security found a now-fixed one-click flaw in Writer: an agent preview could carry session tokens into an attacker-controlled sandbox. The case is a warning for anyone building agents that execute code.
What this is about
Sand Security described a serious flaw in Writer AI on July 7, 2026: an attacker could share a harmless-looking agent preview link. If a logged-in Writer user opened that link, the user's session token could reach a sandbox controlled by the attacker. Writer says it fixed the issue within 24 hours after notification in May 2026 and has no evidence of malicious exploitation.
The interesting part is not only Writer. The interesting part is the pattern: many companies treat an AI sandbox as a magic security boundary. WriteOut shows that the boundary is only as strong as the data, cookies, tokens and permissions you allow into it.
What WriteOut actually does
The attack used a live preview feature for Writer agents. According to Sand Security, the preview ran under the same origin as the main application. That meant the victim's browser automatically attached the Writer session to the preview request. The preview proxy then forwarded that session into the agent sandbox.
Inside that sandbox, attacker-controlled code could read the token and reuse it outside the sandbox. One click could become an account takeover with the affected user's privileges. If the victim was an administrator, the potential blast radius was larger: private chats, documents, agent configurations, system prompts, connectors and organization settings could be within reach.
Why it matters
The case matters because agent platforms no longer just generate text. They host small apps, execute code, access internal data sources and connect to enterprise systems. That is exactly where tokens, roles and confidential work data live.
The Hacker News reported that Writer, after publication, confirmed that it removed session cookies from sandbox previews and moved previews to an isolated origin. That is the core lesson: the hard boundary is not a prompt filter. It is an architecture where high-value credentials never enter an untrusted runtime in the first place.
In plain language
Imagine a workshop with a locked testing room. The room is useful because sparks, dust and mistakes should stay inside it. But if you accidentally leave the master key to the whole building inside that room, the door lock helps only so much. That is the lesson of WriteOut: the sandbox was the testing room, and the session token was the master key.
A practical example
A company has 2,000 Writer users and allows teams to share agent previews internally. An attacker creates a seemingly useful preview agent, sends the link to 50 targets and a logged-in department lead clicks it. If her session token is forwarded, the attacker can read internal documents, alter an agent prompt and inspect a connector with her permissions, without knowing her password.
After the fix, that path should no longer work because the session no longer lands inside the preview sandbox. For other platforms, the open question remains: which tokens, secrets or internal APIs can reach the agent runtime at all?
Scope and limits
- Writer says the flaw is fixed and that it has no evidence of customer data compromise. This article therefore describes a risk and architecture problem, not a known ongoing attack.
- This is not proof that every AI sandbox is insecure. It shows that sandboxes can be wired incorrectly when session and origin boundaries blur.
- Without Writer's detailed internal logs, outsiders cannot verify which customers were actually exposed or whether any specific preview links were abused.
SEO & GEO keywords
WriteOut, Writer AI, Sand Security, AI sandbox security, session hijacking, agent security, enterprise AI risk, live preview vulnerability, AI runtime isolation, cloud tenant isolation
π‘ In plain English
A sandbox is useful, but it does not replace clean permission architecture. WriteOut shows that if a session token reaches an untrusted agent environment, one click can be enough to take over an account.
Key Takeaways
- βSand Security disclosed WriteOut on July 7, 2026 as a now-fixed Writer AI vulnerability.
- βThe attack depended on session cookies, live previews and a sandbox that could see a high-value token.
- βWriter says it fixed the flaw within 24 hours in May 2026 and has no evidence of malicious exploitation.
- βThe broader lesson is that AI sandboxes must be modeled like ordinary runtimes with secrets, origins and roles.
- βCompanies should review which agent runtimes can access cookies, tokens, connectors and internal data sources.
FAQ
Does a Writer customer need to patch now?
Writer says the cloud-side flaw has already been fixed. Customers should still review logs, preview sharing and agent permissions.
Is WriteOut a prompt-injection attack?
Not at its core. The decisive weakness was a session token entering an untrusted sandbox; prompt filters were only a weak secondary barrier.
Why does an isolated origin matter?
Browsers bind cookies to origins. If the preview and main app are separated cleanly, sensitive session data does not automatically travel into the preview.
Sources & Context
- Sand Security: WriteOut - Abusing the Sandbox for a Critical Cross-Tenant Vulnerability in Writer AI
- The Hacker News: Writer AI Flaw Could Let Agent Previews Leak Session Tokens Across Tenants
- Security Point Break: WriteOut PoC Attack Exposed AI Tool to One-Click Takeover
- Writer Help Center: Manage WRITER Agent
- Northflank: What is an AI sandbox?