- Tenable uncovers nine Looker Studio flaws dubbed LeakyLooker
- Bugs enabled cross-tenant SQL injection and credential leaks
- Google patched all vulnerabilities; users urged to review report access
A series of nine vulnerabilities in Google Looker Studio can be used to run arbitrary SQL queries against target databases and pull sensitive data from people’s Google Cloud environments, experts have revealed.
Security researchers Tenable found the flaws, dubbed LeakyLooker, which exposed sensitive data across Google Cloud environments, affecting those who are using pretty much any Looker Studio data connector, including Google Sheets, PostgreSQL, MySQL, and others.
“Achieving full isolation while providing live data is a difficult task that can be flawed,” Tenable said in its findings, adding that the tool’s “Live Data” architecture, designed for real-time report updates, was a real Achilles’ heel. “Attackers could exploit this through 0-click (no victim interaction) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities.”
Article continues below
Looker Studio issues
Looker Studio is a free data visualization and reporting tool from Google that lets people turn raw data into interactive dashboards and reports. It is quite popular, too, as the broader Looker product family has more than 10 million monthly users.
Here is a brief overview of the bugs Tenable uncovered:
- Cross Tenant Unauthorised Access – Zero-Click SQL Injection on Database Connectors – TRA-2025-28
- Cross Tenant Unauthorised Access – Zero-Click SQL Injection Through Stored Credentials – TRA-2025-29
- Cross Tenant SQL Injection on BigQuery Through Native Functions – TRA-2025-27
- Cross Tenant Data Sources Leak With Hyperlinks – TRA-2025-40
- Cross Tenant SQL injection on Spanner and BigQuery Through Custom Queries on a Victim’s Data Source – TRA-2025-38
- Cross Tenant SQL Injection on BigQuery and Spanner Through the Linking API – TRA-2025-37
- Cross Tenant Data Sources Leak With Image Rendering – TRA-2025-30
- Cross Tenant XS Leak on Arbitrary Data Sources With Frame Counting and Timing Oracles – TRA-2025-31
- Cross Tenant Denial of Wallet Through BigQuery – TRA-2025-41
The most worrying among the vulnerabilities was the “Sticky Credential” logic flaw in the “Copy Report” feature, that unauthorized attackers could use to clone reports while keeping the original owner’s credentials.
Google has since patched all nine bugs globally, and Tenable recommends users regularly review who has “View” access to both public and private reports.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
https://cdn.mos.cms.futurecdn.net/NGKiUcJVFBC8HkMp9dTo9a-1920-80.jpg
Source link
