“LeakyLooker” Discovery Reveals Nine Vulnerabilities in Google Looker Studio, Exposing Sensitive Cloud Data

Tenable Research has uncovered a series of security vulnerabilities in Google Looker Studio, dubbed “LeakyLooker,” that allowed attackers to run arbitrary SQL queries on victims’ databases and exfiltrate sensitive data within organisations’ Google Cloud environments.

The “LeakyLooker” research identified nine novel cross-tenant vulnerabilities. These vulnerabilities exposed sensitive data across Google Cloud environments, potentially affecting any organisation using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and almost any other Looker Studio data connector. 

Looker Studio is designed to be highly flexible, providing live data, allowing users to connect to almost any data source. Achieving full isolation while providing live data is a difficult task that can be flawed. Tenable researchers demonstrated how Looker Studio’s “Live Data” architecture, designed for real-time report updates, served as an architectural Achilles’ heel. Attackers could exploit this through 0-click (no victim interaction) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities ...