The LeakyLooker Vulnerabilities in Google’s Analytics Platform
Imagine a business intelligence tool designed to visualize data becoming a backdoor to the cloud itself. That was the startling reality uncovered by Tenable Research, which identified a cluster of nine security flaws in Google Looker Studio. Dubbed ‘LeakyLooker,’ these cross-tenant vulnerabilities resided in the platform formerly known as Google Data Studio.
Looker Studio is a popular service for creating dashboards and reports. It pulls data from sources like Google BigQuery, Sheets, and other SQL databases. This deep integration with Google’s cloud infrastructure, however, painted an unexpectedly large target for attackers. The platform’s architecture inadvertently created a broad attack surface where a single compromised report could have far-reaching consequences.
Two Paths to Exploitation: Zero-Click and One-Click Attacks
Tenable’s investigation pinpointed weaknesses in the platform’s authentication and data connector systems. The core issue? Looker Studio can run queries using either the report creator’s credentials or the viewer’s credentials. This design flaw opened up two distinct avenues for malicious activity.
The first path required no user interaction. In a ‘0-click’ attack, a threat actor could craft server-side requests that triggered SQL queries executed with the report owner’s high-level permissions. No button click needed; the damage could be done remotely.
The second method was a ‘1-click’ attack. Here, a victim only needed to open a manipulated report or a malicious link. Upon viewing it, malicious SQL queries would run using the viewer’s own database credentials, potentially compromising their data.
Underlying Flaws That Enabled the Attacks
These attack techniques were powered by several critical underlying issues. Researchers found SQL injection flaws in the platform’s database connectors. Sensitive data could also leak through seemingly benign report elements like hyperlinks or embedded images. A particularly concerning flaw, dubbed a ‘denial-of-wallet’ issue, could have allowed attackers to run up massive bills on a victim’s BigQuery resources.
Potential Impact and the Path to Remediation
The scope was significant. Connectors for BigQuery, Cloud Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage were all affected. An attacker could have scoured the web for publicly shared Looker reports. These reports could then serve as a launchpad to steal data, insert false records, or even delete entire tables in connected databases.
One subtle but dangerous feature was the report copy function. When a viewer duplicated a report, it sometimes preserved the original database credentials. The new owner of the copied report could then run custom SQL queries against the original database, all without ever knowing the password.
Tenable responsibly disclosed all nine vulnerabilities to Google. The tech giant collaborated with the researchers to investigate and roll out fixes. Since Looker Studio is a fully managed service, Google deployed the patches globally. Customers did not need to take any action to be protected.
Securing Your Business Intelligence Front
This episode serves as a crucial reminder. Analytics and business intelligence platforms are often overlooked in security assessments. They are powerful tools that connect directly to crown-jewel data stores, making them attractive targets.
Organizations should proactively manage this risk. Regularly audit report-sharing settings and ensure only necessary individuals have access. Limit or remove unused data connectors to shrink the attack surface. Most importantly, treat BI and analytics integrations as a core component of your cloud security strategy, not an afterthought. The line between data visualization and data vulnerability can be thinner than it appears.
