⚠️ Region Alert: UAE/Middle East
Unit 42 researchers have identified significant security risks within Google Cloud Platform’s Vertex AI Agent Engine, specifically concerning how AI agents can be weaponized as "double agents." By exploiting default permission scoping in the Per-Project, Per-Product Service Agent (P4SA), attackers can extract credentials to gain unauthorized access to sensitive data within consumer projects and restricted internal Google infrastructure, including proprietary container images and source code.
The investigation revealed that these agents often operate with overly permissive OAuth scopes and use insecure serialization methods like Python's pickle module, which could lead to remote code execution. In response to these findings, Google has updated its documentation and recommends the "Bring Your Own Service Account" (BYOSA) model to enforce the principle of least privilege and mitigate the risk of cross-tenant data exposure.
Top comments (0)