The Good, The Bad, and The Vulnerable: Breaking Down GCP Tenant Projects
Ofir Balassiano, Ofir Shaty
fwd:cloudsec North America 2025 · Day 1 · Track 1 - Crystal
Ofir Balassiano and Ofir Shaty, security researchers at **Palo Alto Networks**, present a deep investigation into **GCP tenant projects** -- hidden, Google-managed projects that are provisioned behind the scenes when customers use managed services like Vertex AI, Cloud Composer, Cloud SQL, and BigQuery. The researchers reverse-engineered the internal architecture of Vertex AI's tenant projects by exploiting a vulnerability that gave them code execution inside the tenant environment. From there, they mapped the service accounts, permissions, data flows, and cross-project access patterns, discovering multiple privilege escalation paths, data exposure risks, and a previously undocumented attack surface that most GCP customers do not know exists. The research demonstrates that these "shadow projects" hold customer data, connect to customer VPCs, and operate with broad permissions -- all outside the customer's visibility and control.
AI review
Excellent research pulling back the curtain on GCP's hidden tenant project architecture. The Vertex AI attack chain -- reverse shell via custom training job, scope bypass through machine type switching, privilege escalation to consumer resources, and full tenant project takeover -- is a clean, reproducible kill chain that reveals a meaningful attack surface most GCP customers don't even know exists.