A design flaw in the Vertex AI software development kit (SDK) for Python, Google Cloud’s managed platform for building, training, and deploying AI agents, could allow hijacking and poisoning of models outside of a developer’s own Google Cloud project.
According to Unit 42 researchers, a combination of bad bucket naming logic and missing authentication made it possible for an attacker to hijack the victim’s project by just knowing their project ID and region.
“Since no two buckets across all of Google Cloud can share the same name, an attacker who is able to predict a bucket name can preemptively create it in their own project,” the researchers said in a blog post. “Any subsequent attempt to use a bucket with that name, even from a different project, silently falls back to the attacker’s bucket.“
