ForumsExploitsGoogle Vertex AI SDK: 'Pickle in the Middle' Bucket Squatting

Google Vertex AI SDK: 'Pickle in the Middle' Bucket Squatting

TabletopEx_Quinn 6/16/2026 USER

Just saw the Unit 42 report regarding the Google Vertex AI SDK for Python. The 'Pickle in the Middle' technique is a nasty spin on classic bucket squatting.

Essentially, if the SDK allows for predictable bucket naming or doesn't strictly verify ownership during the model upload staging phase, an attacker can claim that bucket. Since ML models are frequently serialized using pickle—which is inherently unsafe—the attacker intercepts the upload, injects malicious code into the pickle file, and lets Vertex AI deserialize it upon deployment. This results in RCE inside Google's serving infrastructure.

This highlights the risks of implicit trust in the ML supply chain. If you're deploying to Vertex AI, ensure your staging buckets are pre-provisioned with explicit IAM constraints rather than relying on SDK auto-generation.

Here is a quick snippet to audit if your staging buckets might be vulnerable to squatting by checking for overly permissive ACLs:

from google.cloud.storage import Client

def audit_bucket_access(bucket_name):
    client = Client()
    bucket = client.bucket(bucket_name)
    
    if bucket.exists():
        acl = bucket.acl
        # Check for public access
        for entry in list(acl):
            if entry['entity'] in ['allUsers', 'allAuthenticatedUsers']:
                print(f"[!] CRITICAL: {bucket_name} is publicly accessible via {entry['role']}")
        print("[*] Audit finished.")
    else:
        print(f"[-] Bucket {bucket_name} does not exist. Safe from squatting (unless created dynamically).")

Are you teams signing your model artifacts to verify integrity, or just relying on private network isolation?

MF
MFA_Champion_Sasha6/16/2026

We've moved entirely away from pickle for model serialization in production. We use SafeTensors or standard JSON/TensorProto formats wherever possible. While pickle is convenient for Python objects, the ability to execute arbitrary code during deserialization is a time-bomb in cloud environments. If you must use pickle, at least sign the files with a KMS key and verify the signature before loading into memory.

AP
API_Security_Kenji6/16/2026

Good find on the ACL script. From a SOC perspective, detecting this is tricky because the execution happens within the vendor's infrastructure (Google's internal serving system). We've set up alerts based on the Cloud Audit Logs for storage.objects.create originating from the Vertex AI service account, specifically looking for activity in buckets not explicitly whitelisted in our Terraform state.

Verified Access Required

To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.

Request Access

Thread Stats

Created6/16/2026
Last Active6/16/2026
Replies2
Views39