RESEARCHERS uncovered nine cross-tenant vulnerabilities in Google Looker Studio, collectively named LeakyLooker by Tenable Research, which could have allowed attackers to extract or manipulate sensitive cloud data. The flaws affect the cloud-based BI platform, formerly known as Data Studio, and potentially expose data stored across Google services by enabling attackers to run arbitrary SQL queries against victims’ databases.
Looker Studio’s authentication and data connectors were found to create two attack paths: 0-click attacks targeting owner credentials and 1-click attacks targeting viewer credentials, exploited via crafted requests or manipulated reports. These techniques were enabled by underlying issues including SQL injection flaws in connectors, data leaks through report elements, and a denial-of-wallet issue affecting BigQuery resources.
The vulnerabilities impacted connectors linking Looker Studio to BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets and Cloud Storage, and researchers noted that a report copy feature could preserve stored credentials for the new report owner. All nine flaws were reported through responsible disclosure, and patches were deployed globally with no customer action required, according to Tenable Research.