Cybersecurity researchers have revealed nine cross-tenant vulnerabilities in Google Looker Studio. This vulnerability could allow an attacker to execute arbitrary SQL queries against a victim’s database, potentially exposing sensitive data within an organization’s Google Cloud environment.
Tenable collectively refers to these shortcomings as LeakyLooker. There is no evidence that this vulnerability has been exploited in the wild. After responsible disclosure in June 2025, Google addressed the issue.
Here is a list of security flaws:
“This vulnerability violates fundamental design assumptions and exposes a new class of attacks that could allow an attacker to exfiltrate, insert, or delete data on a victim’s services or Google Cloud environment,” security researcher Liv Matan said in a report shared with Hacker News.
“These vulnerabilities could potentially expose sensitive data across Google Cloud Platform (GCP) environments, impacting organizations using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and nearly all other Looker Studio data connectors.”
Successful exploitation of cross-tenant flaws could allow threat actors to access datasets and projects across different cloud tenants.
An attacker could scan Looker Studio’s public reports or gain access to private reports that use these connectors (such as BigQuery) to gain control of the database and allow them to run arbitrary SQL queries across the owner’s GCP projects.
Alternatively, the victim creates the report as public or shares it with specific recipients and uses a JDBC-connected data source such as PostgreSQL. In this scenario, an attacker could exploit a logical flaw in the report copy functionality to create a duplicate report while retaining the original owner’s credentials, allowing them to delete or modify the table.
Another high-impact vector detailed by the cybersecurity firm involves one-click data exfiltration, where sharing a specially crafted report executes malicious code in a victim’s browser, accessing attacker-controlled projects and rebuilding entire databases from logs.
“This vulnerability breaks the fundamental promise that ‘viewers’ can never control the data they are viewing,” Matan said, adding that “an attacker could potentially leak or modify data across Google services, including BigQuery and Google Sheets.”
Source link
