Home/News/Writer AI Vulnerability Allowed Cross-Tenant Session Token Leaks
The Hacker News2 min read

Writer AI Vulnerability Allowed Cross-Tenant Session Token Leaks

Cybersecurity researchers disclosed details of a critical session isolation vulnerability in Writer, an enterprise generative artificial intelligence (AI) platform, that has now been patched. This vulnerability, codenamed WriteOut by the Sand Security Research team, could have allowed for cross-tenant compromise. The flaw meant that an unauthorized outsider could gain access to and potentially take over any Writer AI tenant, effectively compromising sensitive session tokens.

The vulnerability exploited a flaw in how Writer AI handled session isolation between different tenants, which are essentially separate customer accounts or environments within the platform. When a user interacted with an AI agent, the system could inadvertently leak session tokens. These tokens are crucial for maintaining user authentication and session state, and their exposure could grant attackers unauthorized access to other users' data and functionalities within the Writer AI platform. The Sand Security Research team highlighted that the exploit was a "one-click" vulnerability, suggesting a relatively straightforward method for exploitation once discovered.

Writer, the company behind the AI platform, has confirmed the vulnerability and stated that it has been addressed through a patch. The company emphasized its commitment to security and assured users that the issue has been resolved. The incident underscores the ongoing challenges in securing complex AI platforms, particularly those designed for enterprise use where data privacy and tenant isolation are paramount. The successful patching of WriteOut prevents potential data breaches and unauthorized access that could have impacted numerous businesses relying on Writer's AI capabilities for their operations.

While the specific technical details of the exploit were not fully disclosed to prevent further misuse, the disclosure by Sand Security Research serves as a reminder of the importance of continuous security auditing and rapid patching for AI-powered enterprise solutions. The incident highlights the need for robust security measures to protect sensitive session data and maintain the integrity of multi-tenant environments in the rapidly evolving AI landscape.

Original source — read the full reporting at the publisher:

Read on The Hacker News

Read next