UNIT 42’s Double Agents study reveals that misconfigured Vertex AI deployments in GCP can be weaponised by exploiting a Per-Project, Per-Product Service Agent (P4SA) with default, excessive permissions, enabling an AI agent to exfiltrate data and pivot into consumer projects.
Using the stolen service-agent credentials, the researchers gained unrestricted read access to Google Cloud Storage Buckets in the consumer project and accessed restricted producer images in private Artifact Registry repositories associated with Vertex AI’s reasoning engine and LLM-extension. They highlight that broad OAuth 2.0 scopes assigned by default can extend access beyond the GCP environment into Google Workspace services, underscoring a breach of the principle of least privilege at the scope level.
The team also notes that a Python pickle file used to serialize agent code poses a remote code execution risk if deserialized in an insecure manner, and that exposed tenant-project data included Dockerfiles and references to internal Google buckets. According to Google, following disclosure the ADK deployment workflow was updated to reinforce least-privilege execution, and BYOSA was recommended to organisations to replace default service accounts.
The article concludes that overpermissive agents and supply-chain risks in AI deployments demand rigorous security reviews and mitigations across the AI lifecycle.