Top Highlights
- Attackers can hijack Google Cloud Vertex AI models by creating predictable storage buckets and replacing uploaded models with malicious ones before they’re loaded, exploiting default SDK behaviors.
- Loaded malicious models can run arbitrary code inside Google’s infrastructure, enabling theft of OAuth tokens and access to sensitive data across tenant projects.
- The vulnerability’s fix involves verifying bucket ownership and randomizing bucket names, emphasizing the importance of explicitly setting secure configurations and updating SDKs to prevent exploitation.
Threat Overview, Attack Techniques, and Targets
The flaw in Google Cloud Vertex AI SDK for Python allows attackers to hijack model uploads. An attacker with no access to a victim’s project can exploit this flaw. They only need the victim’s project ID, which is often public, and their own Google Cloud project. The attacker creates a Cloud Storage bucket with a predictable name based on the project ID and region. If the victim does not set a specific bucket, the SDK automatically generates this name. The SDK checks if the bucket exists but does not verify ownership.
Because bucket names are unique worldwide, attackers can create the expected bucket first. When the victim uploads models, these are stored in the attacker’s bucket. The attacker can then swap the uploaded model with a malicious one. Many machine learning models saved with pickle or joblib can run code when loaded. When Vertex AI loads the malicious model, the attacker’s code executes inside the container.
The attack depends on speed. The attacker replaces the model within 1.4 seconds after the victim uploads it. This is fast enough to hide the swap from the victim. When successful, the payload steals an OAuth token from the container’s metadata server. The token can give the attacker access to other resources in the project, including models, logs, and internal data.
The vulnerability affects projects that do not set a specific staging bucket and rely on the default bucket name generation. It was reported by Unit 42 through Google’s bug bounty program. They observed no real-world exploitation so far.
Impact, Security Implications, and Remediation Guidance
This flaw can have serious consequences. Attackers can take control of machine learning models and execute malicious code. They can access sensitive data stored in Google Cloud, such as model weights, logs, and metadata. The stolen OAuth tokens can give attackers broad access to other cloud resources.
The security implications include potential data theft, model manipulation, and internal project access. Because the flaw resides in the client SDK, any environment that uses this SDK—such as notebooks, CI pipelines, or training scripts—may be vulnerable.
Google has addressed this issue by patching the SDK. Updates are available in version 1.144.0, which adds a random UUID to the bucket name. The latest fix is in version 1.148.0, which verifies bucket ownership and prevents bucket squatting.
To reduce risk, users should update to SDK version 1.148.0 or later. Developers should also specify a secure Cloud Storage bucket they control when uploading models. It is important to check the SDK version across all environments. Because the flaw involves predictable bucket names, setting explicit buckets reduces vulnerability.
For further details on remediation, users should consult guidance from Google or their security service provider.
Stay Ahead with the Latest Tech Trends
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Explore past and present digital transformations on the Internet Archive.
ThreatIntel-V1
