Double Agents: Exposing Security Blind Spots in GCP Vertex AI

Palo Alto Networks Unit 42 demonstrates that default service-agent permission scoping in Google Cloud Vertex AI Agent Engine can be weaponized by a malicious AI agent to exfiltrate service-agent credentials, break project isolation, read Google Cloud Storage buckets in consumer/tenant projects, download restricted internal Artifact Registry images, and expose proprietary code (including insecure pickle serialized agent code) and overly permissive OAuth scopes; the findings were responsibly disclosed to Google and mitigations such as Bring Your Own Service Account (BYOSA) and documentation changes were recommended.