Google cloud's vertex AI could turn AI agents into insider threats

According to The Hacker News, cybersecurity researchers discovered a critical vulnerability in Google Cloud's Vertex AI platform that allows attackers to weaponize AI agents to steal sensitive data and compromise cloud environments.

What happened

Cybersecurity Researchers found that the Per-Project, Per-Product Service Agent (P4SA) tied to AI agents built using Vertex AI's Agent Development Kit (ADK) carries excessive permissions by default. When an attacker exploits this misconfiguration, they can extract the P4SA's credentials and act on its behalf.

Every call to a deployed Vertex AI agent invokes Google's metadata service, exposing the service agent's credentials, the GCP project hosting the agent, the agent's identity, and the scope of the hosting machine. Researchers used those stolen credentials to break out of the AI agent's execution context and into the customer project, gaining unrestricted read access to all Google Cloud Storage buckets within that project.

Going deeper

The vulnerability creates certain exposure:

• Credential theft: Any call to a deployed Vertex AI agent exposes the P4SA's credentials via Google's metadata service.
• Tenant project access: Stolen credentials allowed researchers to access Google Cloud Storage buckets inside Google's own managed tenant project, revealing details about the platform's internal infrastructure.
• Artifact Registry breach: The same credentials unlocked restricted, Google-owned Artifact Registry repositories, letting an attacker download private container images central to Vertex AI's Reasoning Engine.
• Supply chain mapping: Access to those repositories also exposed additional restricted images beyond what appeared in deployment logs, giving an attacker a potential blueprint for identifying further vulnerabilities across Google's internal software supply chain.
  
  

What was said

Cybersecurity researcher Ofir Shaty warned that "a misconfigured or compromised agent can become a 'double agent' that appears to serve its intended purpose, while secretly exfiltrating sensitive data, compromising infrastructure, and creating backdoors into an organization's most critical systems."

Shaty also said, "Granting agents broad permissions by default violates the principle of least privilege and is a dangerous security flaw by design. Organizations should treat AI agent deployment with the same rigor as new production code."

In the know

The principle of least privilege (PoLP) is a cybersecurity concept that holds that any user, system, or process should only have the minimum permissions necessary to perform its function. When platforms grant broad permissions by default, a single compromised component can lead into full environment access.

Why it matters

Access to Google's private Artifact Registry repositories means an attacker could study the internal architecture of Vertex AI itself, identify vulnerable or deprecated images, and plan further attacks against the platform or against every organization running on it.

Google has since updated its documentation and recommends customers adopt BYOSA and enforce least privilege.

The bottom line

Organizations using Vertex AI should review their service agent configurations, implement BYOSA, and audit what their deployed agents can actually access.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

What is Vertex AI?

Vertex AI is Google Cloud's managed platform for building, deploying, and scaling AI models and agents.

What is a service agent?

A service agent is an identity automatically created by Google Cloud to allow services to interact with other Google Cloud resources on a user's behalf.

What does "excessive permissions by default" mean?

It means that when a service is set up, it is automatically granted more access than it actually needs to function, creating unnecessary risk.

Can small businesses or only large enterprises be affected?

Any organization using Vertex AI's Agent Engine with default configurations, regardless of size, is potentially exposed to this vulnerability.