Tenable Uncover ‘LeakyLooker’ Flaws in Google Looker Studio That Could Expose Cloud Data
The flaws could affect organisations using several Looker Studio data connectors, including Google Sheets, BigQuery, Cloud Spanner, PostgreSQL, MySQL and Google Cloud Storage.
Security researchers at Tenable have uncovered a series of vulnerabilities in Google Looker Studio that could allow attackers to run arbitrary SQL queries and extract sensitive data from organisations’ cloud databases.
The vulnerabilities, collectively dubbed “LeakyLooker,” include nine cross-tenant security flaws that could potentially expose data across multiple environments in Google’s cloud ecosystem.
According to the researchers, the flaws could affect organisations using several Looker Studio data connectors, including Google Sheets, BigQuery, Cloud Spanner, PostgreSQL, MySQL and Google Cloud Storage.
Looker Studio allows users to build interactive dashboards by connecting directly to live data sources. However, Tenable researchers found that its Live Data architecture, designed to update reports in real time, could be exploited to access underlying data systems.
The attack techniques included both zero-click vulnerabilities, which require no interaction from the victim, and one-click attacks, where a user simply opening a malicious webpage could trigger exploitation.
One key issue involved a “sticky credential” logic flaw in the platform’s Copy Report feature. This allowed attackers to duplicate reports while retaining the original owner’s credentials, potentially enabling them to modify or delete database tables.
Researchers also demonstrated a one-click data-exfiltration method in which a malicious report could cause a victim’s browser to run hidden code and transmit database activity logs to an attacker-controlled project.
"The vulnerabilities broke the fundamental promise that a 'Viewer' should never be able to control the data they are viewing,” said Liv Matan, Senior Research Engineer at Tenable. Our discovery of 'LeakyLooker' vulnerabilities demonstrated a new attack surface that can be abused by attackers in cloud environments."
Following responsible disclosure by Tenable, Google patched all nine vulnerabilities globally. Security experts recommend that organisations regularly review report access permissions and limit unused data connectors to reduce future risks.
