- Tenable discloses nine Looker Studio flaws, dubbed LeakyLooker
- Bugs enabled cross-tenant SQL injection and credential leakage
- Google has patched all vulnerabilities; users are encouraged to review report access
A series of nine vulnerabilities in Google Looker Studio can be used to run arbitrary SQL queries against target databases and pull sensitive data from people’s Google Cloud environments, experts have revealed.
Security researchers Tenable found the flaws, dubbed LeakyLooker, which exposed sensitive data across Google Cloud environments, affecting those using virtually all Looker Studio data connectors, including Google Sheets, PostgreSQL, MySQL and others.
“Achieving full isolation while delivering live data is a difficult task that can be flawed,” Tenable said in his findings, adding that the tool’s “Live Data” architecture, designed for real-time report updates, was a real Achilles’ heel. “Attackers could exploit this through 0-click (no victim interaction) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities.”
The article continues below
Looker Studio problems
Looker Studio is a free data visualization and reporting tool from Google that lets people turn raw data into interactive dashboards and reports. It’s also quite popular, as the wider Looker product family has more than 10 million monthly users.
Here is a brief summary of the bugs that Tenable has revealed:
- Unauthorized Cross-Tenant Access – Zero-Click SQL Injection on Database Connectors – TRA-2025-28
- Cross Tenant Unauthorized Access – Zero Click SQL Injection Through Stored Credentials – TRA-2025-29
- Cross Lejer SQL injection on BigQuery through built-in functions – TRA-2025-27
- Cross tenant data sources leak with hyperlinks – TRA-2025-40
- Cross Tenant SQL injection on Spanner and BigQuery through custom queries on a victim’s data source – TRA-2025-38
- Cross Tenant SQL Injection on BigQuery and Spanner Through the Linking API – TRA-2025-37
- Cross tenant data sources leak with image rendering – TRA-2025-30
- Cross Tenant XS leak on arbitrary data sources with frame counting and timing oracles – TRA-2025-31
- Cross Tenant Denial of Wallet through BigQuery – TRA-2025-41
Most concerning among the vulnerabilities was the “Sticky Credential” logic flaw in the “Copy Report” function, which unauthorized attackers could use to clone reports while retaining the original owner’s credentials.
Google has since fixed all nine bugs globally, and Tenable recommends that users regularly review who has “View” access to both public and private reports.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
