cyberivy
Writer AIWriteOutAI SecuritySandbox SecuritySession HijackingAI AgentsEnterprise AICloud Security

WriteOut shows why AI sandboxes do not replace boundaries

July 9, 2026

Ein Serverraum mit schwarzen Serverschraenken, blau-gruenen Statuslichtern und sichtbarer Verkabelung in einem Rechenzentrum

Sand Security found a now-fixed one-click flaw in Writer: an agent preview could carry session tokens into an attacker-controlled sandbox. The case is a warning for anyone building agents that execute code.

What this is about

Sand Security described a serious flaw in Writer AI on July 7, 2026: an attacker could share a harmless-looking agent preview link. If a logged-in Writer user opened that link, the user's session token could reach a sandbox controlled by the attacker. Writer says it fixed the issue within 24 hours after notification in May 2026 and has no evidence of malicious exploitation.

The interesting part is not only Writer. The interesting part is the pattern: many companies treat an AI sandbox as a magic security boundary. WriteOut shows that the boundary is only as strong as the data, cookies, tokens and permissions you allow into it.

What WriteOut actually does

The attack used a live preview feature for Writer agents. According to Sand Security, the preview ran under the same origin as the main application. That meant the victim's browser automatically attached the Writer session to the preview request. The preview proxy then forwarded that session into the agent sandbox.

Inside that sandbox, attacker-controlled code could read the token and reuse it outside the sandbox. One click could become an account takeover with the affected user's privileges. If the victim was an administrator, the potential blast radius was larger: private chats, documents, agent configurations, system prompts, connectors and organization settings could be within reach.

Why it matters

The case matters because agent platforms no longer just generate text. They host small apps, execute code, access internal data sources and connect to enterprise systems. That is exactly where tokens, roles and confidential work data live.

The Hacker News reported that Writer, after publication, confirmed that it removed session cookies from sandbox previews and moved previews to an isolated origin. That is the core lesson: the hard boundary is not a prompt filter. It is an architecture where high-value credentials never enter an untrusted runtime in the first place.

In plain language

Imagine a workshop with a locked testing room. The room is useful because sparks, dust and mistakes should stay inside it. But if you accidentally leave the master key to the whole building inside that room, the door lock helps only so much. That is the lesson of WriteOut: the sandbox was the testing room, and the session token was the master key.

A practical example

A company has 2,000 Writer users and allows teams to share agent previews internally. An attacker creates a seemingly useful preview agent, sends the link to 50 targets and a logged-in department lead clicks it. If her session token is forwarded, the attacker can read internal documents, alter an agent prompt and inspect a connector with her permissions, without knowing her password.

After the fix, that path should no longer work because the session no longer lands inside the preview sandbox. For other platforms, the open question remains: which tokens, secrets or internal APIs can reach the agent runtime at all?

Scope and limits

  • Writer says the flaw is fixed and that it has no evidence of customer data compromise. This article therefore describes a risk and architecture problem, not a known ongoing attack.
  • This is not proof that every AI sandbox is insecure. It shows that sandboxes can be wired incorrectly when session and origin boundaries blur.
  • Without Writer's detailed internal logs, outsiders cannot verify which customers were actually exposed or whether any specific preview links were abused.

SEO & GEO keywords

WriteOut, Writer AI, Sand Security, AI sandbox security, session hijacking, agent security, enterprise AI risk, live preview vulnerability, AI runtime isolation, cloud tenant isolation

πŸ’‘ In plain English

A sandbox is useful, but it does not replace clean permission architecture. WriteOut shows that if a session token reaches an untrusted agent environment, one click can be enough to take over an account.

Key Takeaways

  • β†’Sand Security disclosed WriteOut on July 7, 2026 as a now-fixed Writer AI vulnerability.
  • β†’The attack depended on session cookies, live previews and a sandbox that could see a high-value token.
  • β†’Writer says it fixed the flaw within 24 hours in May 2026 and has no evidence of malicious exploitation.
  • β†’The broader lesson is that AI sandboxes must be modeled like ordinary runtimes with secrets, origins and roles.
  • β†’Companies should review which agent runtimes can access cookies, tokens, connectors and internal data sources.

FAQ

Does a Writer customer need to patch now?

Writer says the cloud-side flaw has already been fixed. Customers should still review logs, preview sharing and agent permissions.

Is WriteOut a prompt-injection attack?

Not at its core. The decisive weakness was a session token entering an untrusted sandbox; prompt filters were only a weak secondary barrier.

Why does an isolated origin matter?

Browsers bind cookies to origins. If the preview and main app are separated cleanly, sensitive session data does not automatically travel into the preview.

Sources & Context