Tenable Uncovers 'LeakyLooker' Vulnerabilities in Google Looker Studio Allowing Cross-Tenant Data Access
Tenable Research has disclosed nine cross-tenant vulnerabilities in Google Looker Studio, collectively named LeakyLooker, that could allow attackers to run arbitrary SQL queries and access sensitive cloud data across tenants.
Tenable Research has disclosed a set of nine cross-tenant vulnerabilities in Google Looker Studio, collectively named LeakyLooker, that could allow attackers to run arbitrary SQL queries against victims' databases and access datasets across different cloud tenants. The flaws affect the cloud-based business intelligence platform formerly known as Data Studio, which is widely used to transform raw data into dashboards and visual reports.
The vulnerabilities stem from weaknesses in how Looker Studio handles authentication and data connectors. The platform allows reports to retrieve data using either the report owner's credentials or those of the viewer, depending on configuration. Tenable researchers identified two distinct attack paths. A 0-click attack targets owner credentials by triggering SQL queries executed with the report owner's authentication through crafted server-side requests. A 1-click attack targets viewer credentials, where victims unknowingly run malicious SQL queries when opening a manipulated report or link.
These attack techniques were enabled by several underlying vulnerabilities, including SQL injection flaws in database connectors, data leaks through report elements such as hyperlinks or rendered images, and a denial-of-wallet issue affecting BigQuery resources. The affected connectors include BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Tenable researchers noted that attackers could theoretically search for publicly accessible reports and use them as entry points to exfiltrate data, insert records, or delete tables in connected databases.
In another scenario, a report copy feature preserved stored database credentials when duplicated by a viewer. This allowed the new report owner to run custom SQL queries using the original database authentication, even without knowing the password. Because Looker Studio integrates deeply with Google Cloud infrastructure, the researchers said it introduced an unusually broad attack surface.
All nine vulnerabilities were reported to Google through responsible disclosure. The company worked with Tenable to investigate the findings and implement fixes across the platform. Because Looker Studio is a fully managed service, the patches were deployed globally and no action is required from customers.
Tenable researchers noted that the findings highlight how analytics platforms can become unexpected entry points into cloud environments. They advised organisations to review report-sharing settings, limit unused connectors, and treat BI integrations as part of their security attack surface.