- Tenable discovers nine Looker Studio flaws called LeakyLooker
- Bugs allowed cross-tenant SQL injection and credential leaks
- Google patched all vulnerabilities; Users are encouraged to review access to the report.
Experts have revealed that a series of nine vulnerabilities in Google Looker Studio can be used to execute arbitrary SQL queries against target databases and extract sensitive data from people’s Google Cloud environments.
Tenable security researchers found flaws, called LeakyLooker, that exposed sensitive data in Google Cloud environments, affecting those using virtually any Looker Studio data connector, including Google Sheets, PostgreSQL, MySQL, and others.
“Achieving complete isolation while providing live data is a difficult task that can be flawed,” Tenable said in its findings, adding that the tool’s “Live Data” architecture, designed for real-time report updates, was a true Achilles’ heel. “Attackers could exploit this via 0-click (no interaction with the victim) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities.”
Article continues below.
Problems with Looker Studio
Looker Studio is a free data visualization and reporting tool from Google that allows people to turn raw data into interactive dashboards and reports. It’s also quite popular, as the broader Looker family of products has over 10 million monthly users.
Here’s a brief overview of the bugs Tenable discovered:
- Unauthorized Cross-Tenant Access: Zero-Click SQL Injection on Database Connectors – TRA-2025-28
- Unauthorized cross-tenant access: Clickless SQL injection via stored credentials – TRA-2025-29
- Cross-tenant SQL injection in BigQuery via native functions – TRA-2025-27
- Data source leaks between hyperlinked tenants – TRA-2025-40
- Cross-tenant SQL injection in Spanner and BigQuery using custom queries on a victim’s data source: TRA-2025-38
- Cross-tenant SQL injection in BigQuery and Spanner via Binding API – TRA-2025-37
- Leaking data sources between tenants with image rendering: TRA-2025-30
- Cross-tenant XS leak on arbitrary data sources with frame counting and synchronization oracles: TRA-2025-31
- Wallet denial between tenants via BigQuery – TRA-2025-41
Most concerning among the vulnerabilities was the “Sticky Credential” logic flaw in the “Copy Report” function, which unauthorized attackers could use to clone reports while maintaining the original owner’s credentials.
Google has since fixed all nine bugs globally, and Tenable recommends users periodically review who has “View” access to public and private reports.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
