Double Agents: Exposing Hidden Threats in AI Agent Platforms
Michael Katchinskiy, Hagai Kestenberg
fwd:cloudsec North America 2025 · Day 2 · Track 1 - Crystal
Michael Katchinskiy and Hagai Kestenberg, security researchers from the **Microsoft Defender for Cloud Research** team, presented remote research into the security of AI agent-building platforms, focusing on how attackers can discover, access, and exploit customer-facing conversational agents. The research demonstrated a complete attack methodology -- from reconnaissance (finding agent identifiers in public GitHub repositories) through access (interacting with anonymous agents or bypassing domain allow-list restrictions) to data exfiltration (extracting sensitive organizational data from agent knowledge bases). The primary demonstration was against Google's **Vertex AI Agent Builder**, where the researchers bypassed the **allowed domains** restriction for search agents using a simple local hosts file modification. Google responded that they do not treat the allowed domains feature as a security control. The findings extend across multiple platforms including IBM Watson X, WordPress AI, and Microsoft Copilot Studio.
AI review
Microsoft researchers found that AI agents deployed with public access and static identifiers can be found via GitHub and interacted with by anyone. The allowed domains bypass is literally editing /etc/hosts. This is 'find API keys on GitHub' repackaged for the AI agent era -- it's a valid problem statement, but the technical depth is minimal and the bypass technique would not impress a first-year CTF player.