- Tenable discovers nine flaws in Looker Studio called LeakyLooker
- Bugs allowed cross-tenant SQL injection and credential leaks
- Google has fixed all vulnerabilities; users are advised to review access to the report
A series of nine vulnerabilities in Google Looker Studio can be used to execute arbitrary SQL queries against target databases and extract sensitive data from users’ Google Cloud environments, experts have revealed.
Tenable security researchers discovered flaws, dubbed LeakyLooker, that exposed sensitive data in Google Cloud environments, affecting those using just about any Looker Studio data connector, including Google Sheets, PostgreSQL, MySQL and others.
“Achieving complete isolation while providing live data is a difficult task that can be imperfect,” Tenable said in his findings, adding that the tool’s “Live Data” architecture, designed for real-time report updates, was a real Achilles’ heel. “Attackers could exploit this via 0-click (no interaction with victim) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities.”
Article continues below
Issues with Looker Studio
Looker Studio is a free data visualization and reporting tool from Google that allows users to transform raw data into interactive dashboards and reports. It is also very popular, as the Looker family of products has over 10 million monthly users.
Here’s a quick overview of the bugs Tenable discovered:
- Unauthorized Cross-Tenant Access – Clickless SQL Injection on Database Connectors – TRA-2025-28
- Unauthorized Cross-Tenant Access – Clickless SQL Injection via Stored Credentials – TRA-2025-29
- Cross-Tenant SQL Injection on BigQuery via Native Functions – TRA-2025-27
- Leaking data sources between tenants with hyperlinks – TRA-2025-40
- Cross-Tenant SQL Injection on Spanner and BigQuery via Custom Queries on a Victim’s Data Source – TRA-2025-38
- Cross-Tenant SQL Injection on BigQuery and Spanner via Binding API – TRA-2025-37
- Leaking Cross-Tenant Data Sources with Image Rendering – TRA-2025-30
- Cross-Tenant XS Leak on Arbitrary Data Sources with Frame Counting and Timing Oracles – TRA-2025-31
- Denial of wallet between tenants via BigQuery – TRA-2025-41
The most concerning vulnerability was the “Sticky Credential” logic flaw in the “Copy Report” functionality, which unauthorized attackers could use to clone reports while retaining the original owner’s credentials.
Google has since fixed all nine bugs worldwide, and Tenable recommends users regularly check who has “View” access to public and private reports.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
