Cybersecurity researchers have identified a significant security flaw within Google Cloud's Vertex AI platform. This vulnerability, dubbed a "blind spot," could allow malicious actors to weaponize AI agents, leading to unauthorized access to sensitive data and potential compromise of an organization's cloud environment. The issue stems from the default excessive permissions granted to the service agent associated with Vertex AI agents.

Key Takeaways

• A vulnerability in Google Cloud's Vertex AI allows AI agents to be exploited for data exfiltration and system compromise.

• The issue lies in the default excessive permissions of the Per-Project, Per-Product Service Agent (P4SA).

• Attackers could gain unauthorized access to Google Cloud Storage buckets and restricted Google-owned Artifact Registry repositories.

• Google has updated its documentation and recommends using Bring Your Own Service Account (BYOSA) to enforce the principle of least privilege.

The "Double Agent" Threat

Researchers from Palo Alto Networks Unit 42 discovered that the Per-Project, Per-Product Service Agent (P4SA) for Vertex AI agents, by default, possesses overly broad permissions. This misconfiguration can transform a legitimate AI agent into a "double agent." Such an agent could appear to perform its intended functions while secretly exfiltrating sensitive data, compromising infrastructure, and creating backdoors into critical systems.

When an AI agent is invoked, it interacts with Google's metadata service, exposing credentials of the service agent, the hosting GCP project, the agent's identity, and the machine's scopes. Unit 42 demonstrated that these stolen credentials could be used to pivot from the AI agent's execution context into the customer project, granting unrestricted read access to all Google Cloud Storage buckets within that project.

Access to Proprietary Code and Infrastructure

Beyond customer data, the compromised P4SA credentials also provided access to restricted, Google-owned Artifact Registry repositories. These repositories contain container images that are core to the Vertex AI Reasoning Engine. An attacker could leverage this access to download proprietary code, potentially revealing Google's intellectual property and providing a blueprint for discovering further vulnerabilities. This misconfiguration in access control for critical infrastructure could allow attackers to map Google's internal software supply chain and identify weaknesses.

Google's Response and Mitigation Strategies

Following the disclosure, Google has updated its official documentation to clarify how Vertex AI utilizes resources, accounts, and agents. The company strongly recommends that customers implement the Bring Your Own Service Account (BYOSA) approach. This involves replacing the default service agent with a custom, dedicated service account, thereby enforcing the principle of least privilege (PoLP) and ensuring agents only have the necessary permissions for their tasks.

Security experts emphasize that organizations should treat AI agent deployments with the same rigor as new production code. This includes validating permission boundaries, restricting OAuth scopes to the minimum required, reviewing source integrity, and conducting thorough security testing before production rollout.

Enhancing AI Security

Companies like Wiz are also stepping in to help organizations manage the security risks associated with AI development. Wiz offers support for Google Cloud's Vertex AI, providing visibility into AI infrastructure, identifying misconfigurations, external exposure, sensitive data risks, and vulnerabilities in underlying compute engines. This helps ensure that AI models are built, deployed, and scaled securely and responsibly.

Sources

• Vertex AI Vulnerability Exposes Google Cloud Data and Private Artifacts, The Hacker News.

• Double Agents: Exposing Security Blind Spots in GCP Vertex AI, Unit 42.

• Wiz helps organizations innovate with AI securely and responsibly, launching support for Google Cloud VertexAI, wiz.io.