Cybersecurity researchers have disclosed 9 cross-tenant vulnerabilities in Google Looker Studio that might have permitted attackers to run arbitrary SQL queries on victims’ databases and exfiltrate delicate information inside organizations’ Google Cloud environments.
The shortcomings have been collectively named LeakyLooker by Tenable. There isn’t a proof that the vulnerabilities had been exploited within the wild. Following accountable disclosure in June 2025, the problems have been addressed by Google.
The record of safety flaws is as follows –
“The vulnerabilities broke basic design assumptions, revealed a brand new assault class, and will have allowed attackers to exfiltrate, insert, and delete information in victims’ providers and Google Cloud atmosphere,” safety researcher Liv Matan stated in a report shared with The Hacker Information.
“These vulnerabilities uncovered delicate information throughout Google Cloud Platform (GCP) environments, probably affecting any group utilizing Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and virtually another Looker Studio information connector.”
Profitable exploitation of the cross-tenant flaws might allow risk actors to achieve entry to whole datasets and initiatives throughout completely different cloud tenants.
Attackers might scan for public Looker Studio experiences or receive entry to personal ones that use these connectors (e.g., BigQuery) and seize management of the databases, permitting them to run arbitrary SQL queries throughout the proprietor’s whole GCP undertaking.
Alternatively, a sufferer creates a report as public or shares it with a particular recipient, and makes use of a JDBC-connected information supply comparable to PostgreSQL. On this situation, the attacker can make the most of a logic flaw within the copy report characteristic that makes it potential to clone experiences whereas retaining the unique proprietor’s credentials, enabling them to delete or modify tables.
One other high-impact path detailed by the cybersecurity firm concerned one-click information exfiltration, the place sharing a specifically crafted report forces a sufferer’s browser to execute malicious code that contacts an attacker-controlled undertaking to reconstruct whole databases from logs.
“The vulnerabilities broke the basic promise {that a} ‘Viewer’ ought to by no means be capable of management the info they’re viewing,” Matan stated, including they “might have let attackers exfiltrate or modify information throughout Google providers like BigQuery and Google Sheets.”
