Google Vertex AI 'Double Agent' Flaw Exposes Customer Data and Internal Code

Got story updates? Submit your updates here. ›

Cybersecurity firm Unit 42 has revealed a flaw in Google's Vertex AI platform that can allow a deployed AI agent to be turned into a 'double agent,' potentially exposing customer data and Google's own proprietary source code. The researchers found that the default service account for Vertex AI agents had excessive permissions, which could be exploited to gain access to Cloud Storage data and internal Google resources.

Why it matters

This vulnerability highlights the risks of misconfigured AI systems, which can have serious consequences for data security and intellectual property protection. As more businesses rely on AI and cloud-based services, ensuring proper security controls and permissions is crucial to prevent such breaches.

The details

Unit 42 researchers deployed a custom AI agent using Vertex AI's ADK and discovered that the default service account had excessive permissions. They were then able to extract the service agent credentials, use them to pivot into the consumer project, and gain unrestricted read access to Cloud Storage data as well as access to restricted Artifact Registry repositories containing proprietary Google source code and internal infrastructure details.

• The vulnerability was discovered by Unit 42 researchers in a controlled environment.
• Google updated its Vertex AI documentation in response to the findings, recommending customers use Bring Your Own Service Account (BYOSA) to replace the default ones.

What’s next

Google has updated its Vertex AI documentation to recommend customers use Bring Your Own Service Account (BYOSA) to replace the default service accounts, which were found to have excessive permissions that could be exploited.