CYBERSECURITY researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have allowed attackers to run arbitrary SQL queries on victims’ databases and exfiltrate sensitive data within organisations’ Google Cloud environments. The flaws were collectively named LeakyLooker by Tenable, and there is no evidence that they were exploited in the wild. Following responsible disclosure in June 2025, Google addressed the issues.
According to Tenable, the flaws included cross-tenant unauthorized access via zero-click SQL injection on database connectors and through stored credentials, plus injections on BigQuery via native functions and through the Linking API, among other leakage and data manipulation paths. Security researcher Liv Matan described the vulnerabilities as breaking fundamental design assumptions that could have let attackers exfiltrate or modify data across Google services such as BigQuery and Google Sheets.
If exploited, attackers could gain access to entire datasets and projects across different cloud tenants, including scenarios where a victim shares a report or uses a JDBC-connected data source.