Google Vertex AI SDK Flaw Let Attackers Hijack Model Uploads via Bucket Squatting

Key Points:

• A vulnerability in the Google Cloud Vertex AI Python SDK allowed attackers with no access to a victim's project to hijack model uploads and execute malicious code within Google's serving infrastructure by exploiting predictable Cloud Storage bucket names.
• The flaw, dubbed "Pickle in the Middle" by Palo Alto Networks Unit 42, involved the SDK generating predictable temporary bucket names without verifying ownership, enabling attackers to create these buckets first and replace uploaded models with malicious versions.
• Exploitation required only the attacker's own Google Cloud project and the victim's public project ID, with no credentials or phishing needed; the attack relied on rapid replacement of the model file before Vertex AI processed it.
• Google patched the vulnerability in SDK version 1.148.0 by adding bucket ownership verification and recommends users update immediately and explicitly set staging_bucket parameters to avoid default predictable buckets.
• This is the second similar bucket-squatting vulnerability found in Vertex AI this year, highlighting ongoing risks in default resource naming and access controls in Google's AI platform.