A set of nine cross-tenant vulnerabilities in Google Looker Studio that could have enabled attackers to extract or manipulate sensitive cloud data has been uncovered by cybersecurity researchers.
The flaws, collectively named LeakyLooker by Tenable Research, affected the cloud-based business intelligence platform formerly known as Data Studio and potentially exposed data stored across several Google services.
The issues could have enabled attackers to run arbitrary SQL queries against victims’ databases and access datasets across different cloud tenants.
Looker Studio is widely used to transform raw data into dashboards and visual reports. It connects to multiple data sources, including Google BigQuery, Google Sheets and other SQL databases. Because the platform integrates deeply with Google Cloud infrastructure, the researchers said it introduced an unusually broad attack surface.
Two Separate Attack Paths
Tenable researchers identified weaknesses in how Looker Studio handled authentication and data connectors. The platform allows reports to retrieve data using either the report owner’s credentials or those of the viewer, depending on configuration.
According to the researchers, this architecture created two distinct attack paths that could be exploited by malicious actors.
-
0-click attacks targeting owner credentials: Attackers could trigger SQL queries executed with the report owner’s authentication through crafted server-side requests
-
1-click attacks targeting viewer credentials: Victims could unknowingly run malicious SQL queries when opening a manipulated report or link
These attack techniques were enabled by several underlying vulnerabilities in the platform, including SQL injection flaws in database connectors, data leaks through report elements such as hyperlinks or rendered images and a denial-of-wallet issue affecting BigQuery resources.
Potential Impact and Google’s Response
The vulnerabilities affected connectors used to link Looker Studio reports with a range of cloud services. These included BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets and Cloud Storage.
The researchers said attackers could theoretically search for publicly accessible reports and use them as entry points to exfiltrate data, insert records or delete tables in connected databases.
Read more on cloud security vulnerabilities: Cloud Attackers Now Prefer Vulnerability Exploits Over Credentials, Google Cloud Finds
In another scenario, a report copy feature preserved stored database credentials when duplicated by a viewer. This allowed the new report owner to run custom SQL queries using the original database authentication, even without knowing the password.
All nine vulnerabilities were reported to Google through responsible disclosure. The company worked with Tenable to investigate the findings and implement fixes across the platform.
Because Looker Studio is a fully managed service, the patches were deployed globally and no action is required from customers.
Tenable researchers noted that the findings highlight how analytics platforms can become unexpected entry points into cloud environments.
They advised organisations to review report-sharing settings, limit unused connectors and treat BI integrations as part of their security attack surface.
Image credit: Stockinq / Shutterstock.com
