{"id":3465,"date":"2026-04-01T08:25:00","date_gmt":"2026-04-01T15:25:00","guid":{"rendered":"http:\/\/www.wiki-living.com\/index.php\/2026\/04\/01\/what-if-the-ai-agent-you-just-deployed-was-secretly-working-against-you-vertex-ai-double-agent-bug-exposes-customer-data-and-googles-internal-code\/"},"modified":"2026-04-02T04:18:38","modified_gmt":"2026-04-02T11:18:38","slug":"what-if-the-ai-agent-you-just-deployed-was-secretly-working-against-you-vertex-ai-double-agent-bug-exposes-customer-data-and-googles-internal-code","status":"publish","type":"post","link":"https:\/\/www.wiki-living.com\/index.php\/2026\/04\/01\/what-if-the-ai-agent-you-just-deployed-was-secretly-working-against-you-vertex-ai-double-agent-bug-exposes-customer-data-and-googles-internal-code\/","title":{"rendered":"&#8216;What if the AI \u200b\u200bagent you just deployed was secretly working against you?&#8217;: Vertex AI &#8216;double agent&#8217; bug exposes customer data and Google&#8217;s internal code"},"content":{"rendered":"<p><br \/>\n<\/p>\n<div id=\"article-body\">\n<hr id=\"elk-54425299-9868-4e7b-bdf0-4b832cd766a2\"\/>\n<ul id=\"elk-37371436-2def-4ae7-9aa8-8a83bddecc16\">\n<li><strong>Unit 42 reveals poorly configured Vertex AI agents on Google Cloud can be hijacked by &#8220;double agents&#8221;<\/strong><\/li>\n<li><strong>Excessive default permissions allow attackers to bypass, access Cloud Storage, and reveal Google&#8217;s identity code<\/strong><\/li>\n<li><strong>Google&#8217;s updated documentation, urging customers to use Bring Your Own Service Account (BYOSA) instead of the default<\/strong><\/li>\n<\/ul>\n<hr id=\"elk-8dbe621e-e72e-43e2-b795-586a376ec8a9\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df\">Cloud misconfiguration is one of the biggest causes of data leaks, but now we have another form of misconfiguration to worry about &#8211; AI agents.<\/p>\n<p>Unit 42, Palo Alto&#8217;s cybersecurity arm, has released a new analysis that shows how the AI \u200b\u200bagent used in the Google Cloud Platform (GCP) Vertex AI Agent Engine can be turned into a &#8220;double agent&#8221; &#8211; doing a bad job while appearing to serve its purpose.<\/p>\n<aside data-block-type=\"embed\" data-render-type=\"fte\" data-skip=\"dealsy\" data-widget-type=\"seasonal\" class=\"hawk-root\"\/>\n<p id=\"elk-89c0b648-03f6-49c6-8191-1d03c5b8b6df-2\">Vertex AI is the main AI\/ML platform from Google Cloud, where developers can build and deploy machine learning models and generative AI applications. The Agent Engine is what turns models into autonomous agents.<\/p>\n<p><span class=\"article-continues-below block py-2 text-sm\">The article continues below <svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" aria-hidden=\"true\" class=\"inline-block w-2.5 h-2.5 ml-2\" fill=\"currentColor\" preserveaspectratio=\"xMidYMid meet\" viewbox=\"0 0 1000 1000\"><path d=\"M1000 100L500 900 0 100h1000z\"\/><\/svg><\/span><\/p>\n<aside data-component-name=\"Recirculation:ArticleRiver\" data-recirculation-type=\"inline\" data-mrf-recirculation=\"Trending Bar\" data-nosnippet=\"\" class=\"clear-both pb-0 pt-2 mb-4\">\n        <span class=\"&#10;            flex&#10;            after:content-[''] after:flex-1 after:ml-4 after:my-[0.7rem] after:border-t after:border-solid after:border-t-[#ccc]&#10;            before:content-[''] before:flex-1 before:mr-4 before:my-[0.7rem] before:border-t before:border-solid before:border-t-[#ccc]&#10;            font-article-heading pb-0 !text-base uppercase sm:text-sm font-bold&#10;        \"><\/p>\n<p>            You might like it<br \/>\n        <\/span><\/p>\n<\/aside>\n<h2 id=\"a-blueprint-for-finding-flaws-3\">Fault finding plan<\/h2>\n<p id=\"elk-5c28a411-fdb4-4a55-ac70-48e3056654bf\">However, Unit 42 notes that if they are not aware of permissions, users can leave their agents vulnerable to takeover.<\/p>\n<p>&#8220;By exploiting significant vulnerabilities in automated consent selection and compromising a single service agent, we reveal how Vertex AI&#8217;s consent model can be misused, leading to unintended consequences,&#8221; the report said.<\/p>\n<p>The researchers first deployed a custom AI agent using the Vertex AI ADK in a managed environment and discovered that the agent&#8217;s default service account (P4SA) had excessive permissions.<\/p>\n<p>Then, using a custom-built malicious tool, they were able to extract the service agent&#8217;s credentials from the metadata service, and use those to log into the consumer&#8217;s project. This gave them unrestricted read access to all Cloud Storage data, as well as the manufacturer&#8217;s environment (owned by Google).<\/p>\n<div id=\"slice-container-newsletterForm-articleInbodyContent-sEihUwCSZDBPgUpetk46v8\" class=\"slice-container newsletter-inbodyContent-slice newsletterForm-articleInbodyContent-sEihUwCSZDBPgUpetk46v8 slice-container-newsletterForm\">\n<div data-hydrate=\"true\" class=\"newsletter-form__wrapper newsletter-form__wrapper--inbodyContent\">\n<div class=\"newsletter-form__container\">\n<section class=\"newsletter-form__top-bar\"\/>\n<section class=\"newsletter-form__main-section\">\n<p class=\"newsletter-form__strapline\">Sign up for the TechRadar Pro newsletter to get all the top news, ideas, features and guidance your business needs to succeed!<\/p>\n<\/section>\n<\/div>\n<\/div>\n<\/div>\n<p>This exposed the Artifact Registry&#8217;s restricted repositories, allowing researchers to download secret container images, list internal resources and audited artifacts, and reveal proprietary source code and internal infrastructure details.<\/p>\n<p>&#8220;Gaining access to this proprietary code not only exposes Google&#8217;s intellectual property but also provides an attacker with a blueprint for additional vulnerabilities,&#8221; the researchers explained in the paper.<\/p>\n<p>In response, Google has updated its documentation, to better explain how Vertex AI uses services, accounts, and agents. The company now recommends that customers use a Bring Your Own Service Account (BYOSA) to replace those that have been suspended.<\/p>\n<hr id=\"elk-29e03ae4-e5a9-4034-bada-b28b84b48186\"\/>\n<div id=\"slice-container-person-sEihUwCSZDBPgUpetk46v8-Is3Iujr5rAQuhCHt8mpZEBpAP9BC2ENx\" class=\"slice-container person-wrapper person-sEihUwCSZDBPgUpetk46v8-Is3Iujr5rAQuhCHt8mpZEBpAP9BC2ENx slice-container-person\">\n<div class=\"person person--separator\">\n<div class=\"person__avatar-block\">\n<figure class=\"image-wrapped__wrapper\" data-bordeaux-image-check=\"false\">\n<div class=\"image-wrapped__widthsetter\" style=\"max-width:none\">\n<div class=\"image-wrapped__aspect-padding\" style=\"padding-bottom:56.25%\">\n<div style=\"display:contents\"><picture data-hydrate=\"false\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/webp\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png.webp 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><source class=\"person__avatar image-wrapped__image image__image\" type=\"image\/png\" srcset=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j-140-80.png 140w\" sizes=\"99vw\" data-normal=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-original-mos=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-media=\"https:\/\/cdn.mos.cms.futurecdn.net\/HpHXmtXFPnuzaQ8m9xNW8j.png\" data-pin-nopin=\"true\" data-slice-image=\"true\"><\/source><\/source><\/picture><\/div>\n<\/div>\n<\/div>\n<\/figure>\n<\/div>\n<div class=\"person__heading\">\n<p><span class=\"person__name\">The best antivirus for all budgets<\/span><\/p>\n<aside class=\"person__role\">Our top picks, based on real-world testing and comparison<\/aside>\n<\/div>\n<\/div>\n<\/div>\n<hr id=\"elk-27490ee1-7283-43f4-9bfa-2e4fb1e23304\"\/>\n<p id=\"elk-0183118c-7370-4319-8e3f-ae0dedba742c\"><em><strong>Follow TechRadar for Google news<\/strong><\/em>    again<em> <\/em><em><strong>add us as a favorite resource<\/strong><\/em><em>    to get our expert news, reviews, and opinions in your feed. Be sure to click the Follow button!<\/em><\/p>\n<p><em>And of course you can too <\/em><em><strong>follow TechRadar on TikTok<\/strong><\/em><em>    to get news, reviews, unboxings in video form, and get regular updates from us <\/em><em><strong>WhatsApp<\/strong><\/em><em>    again.<\/em><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Unit 42 reveals poorly configured Vertex AI agents on Google Cloud can be hijacked by &#8220;double agents&#8221; Excessive default permissions allow attackers to bypass, access Cloud Storage, and reveal Google&#8217;s identity code Google&#8217;s updated documentation, urging customers to use Bring Your Own Service Account (BYOSA) instead of the default Cloud misconfiguration is one of the [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3466,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[],"class_list":{"0":"post-3465","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-smart-home-gadgets"},"_links":{"self":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3465","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/comments?post=3465"}],"version-history":[{"count":1,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3465\/revisions"}],"predecessor-version":[{"id":3467,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/posts\/3465\/revisions\/3467"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media\/3466"}],"wp:attachment":[{"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/media?parent=3465"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/categories?post=3465"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wiki-living.com\/index.php\/wp-json\/wp\/v2\/tags?post=3465"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}