Palo Alto Networks’ Unit 42 research team has discovered critical security blind spots in the Google Cloud Platform (GCP) Vertex AI Agent Engine, demonstrating how a deployed AI agent could be weaponised to compromise an entire GCP environment, effectively turning it into a “double agent”.
Key findings:
- Privilege escalation: Researchers exploited a significant risk in default permission scoping by compromising a single Per-Project, Per-Product Service Agent (P4SA) due to excessive default permissions.
- Unrestricted read access: The compromised agent gained unrestricted read access to all Google Cloud Storage Buckets data within the customer’s (consumer) project.
- Internal exposure: The attack also granted access to restricted, Google-owned Artifact Registry repositories, allowing the download of container images that form the core of the Vertex AI Reasoning Engine, and revealing internal Google Cloud infrastructure details.
- Latent workspace risk: Analysis showed that overly permissive, non-editable default OAuth 2.0 scopes created a latent security weakness that could potentially extend access into Google Workspace services such as Gmail and Drive.
Mitigation & collaboration
Unit 42 responsibly disclosed these findings to Google. In collaboration with the Google security team, official documentation was revised to increase transparency regarding resource usage. Google also suggested the Bring Your Own Service Account (BYOSA) best practice to help organisations enforce the principle of least privilege and mitigate the risk of excessive permissions.
Read the full report here: Double Agents: Exposing Security Blind Spots in GCP Vertex AI
Discussion about this post