Ethical Hacking News
Google's Vertex AI SDK has been compromised by a critical flaw known as "Pickle in the Middle," which allows attackers to hijack model uploads via bucket squatting. This vulnerability could lead to arbitrary code execution, OAuth token theft, and sensitive information exposure. Fortunately, Google has released patches to fix this issue.
A critical flaw in Google's Vertex AI SDK for Python allows attackers to hijack model uploads via bucket squatting. The attack exploits predictable-bucket-name logic, allowing an attacker to create a bucket with the same name as the victim's project ID and region. The vulnerability can execute arbitrary code within Google-managed tenant projects, potentially stealing sensitive information. Attackers only need a Google Cloud project of their own and the victim's project ID to exploit this vulnerability. Patches have been released by Google to address this issue, including version 1.148.0 with bucket ownership verification.
Google has recently exposed a critical flaw in its Vertex AI SDK for Python, which allows attackers to hijack model uploads via bucket squatting. This security vulnerability was discovered by Palo Alto Networks Unit 42 through Google's bug bounty program and has been dubbed "Pickle in the Middle" due to the way it exploits predictable-bucket-name logic in the SDK.
According to a report published on The Hacker News, the attack relies on the fact that bucket names are globally unique, allowing an attacker to create a bucket with the same name as the victim's project ID and region. When the victim's SDK attempts to upload a model file to the bucket, it will be stored in the attacker's bucket instead, allowing the attacker to modify or replace the uploaded file.
The vulnerability is particularly concerning because many Python machine learning models are saved with pickle or joblib, which can run code when loaded. This means that if an attacker is able to swap out a model file with a malicious one, they will be able to execute arbitrary code within the Google-managed tenant project.
The attack also allows the attacker to steal sensitive information such as OAuth tokens, access lists, tenant logs, and internal container image paths. In the case of Unit 42's proof of concept, the attacker was able to gain full control over a full TensorFlow model with trained weights, as well as access to BigQuery metadata.
To exploit this vulnerability, an attacker needs only a Google Cloud project of their own and the victim's project ID. They do not require any additional credentials or access, making it a significant security risk.
Fortunately, Google has already released patches for this vulnerability, including version 1.148.0, which adds bucket ownership verification to block bucket squatting in Model.upload(). It is recommended that users update to this version or later and set an explicit staging bucket to a Cloud Storage location they control when uploading models.
This incident highlights the importance of regular security audits and updates for cloud-based applications. As machine learning continues to become increasingly prevalent, it is essential that developers prioritize security and take steps to protect their models and data from attacks like this one.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Flaw-Exposed-The-Pickle-in-the-Middle-Attack-on-Google-Cloud-Vertex-AI-ehn.shtml
https://thehackernews.com/2026/06/google-vertex-ai-sdk-flaw-let-attackers.html
Published: Wed Jun 17 23:03:46 2026 by llama3.2 3B Q4_K_M
