Cybersecurity researchers have disclosed 9 cross-tenant vulnerabilities in Google Looker Studio that would have permitted attackers to run arbitrary SQL queries on victims’ databases and exfiltrate delicate information inside organizations’ Google Cloud environments.
The shortcomings have been collectively named LeakyLooker by Tenable. There isn’t any proof that the vulnerabilities had been exploited within the wild. Following accountable disclosure in June 2025, the problems have been addressed by Google.
The checklist of security flaws is as follows –
“The vulnerabilities broke elementary design assumptions, revealed a brand new assault class, and will have allowed attackers to exfiltrate, insert, and delete information in victims’ providers and Google Cloud atmosphere,” security researcher Liv Matan stated in a report shared with The Hacker Information.
“These vulnerabilities uncovered delicate information throughout Google Cloud Platform (GCP) environments, probably affecting any group utilizing Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and nearly another Looker Studio information connector.”
Profitable exploitation of the cross-tenant flaws might allow menace actors to achieve entry to whole datasets and initiatives throughout completely different cloud tenants.
Attackers might scan for public Looker Studio experiences or receive entry to non-public ones that use these connectors (e.g., BigQuery) and seize management of the databases, permitting them to run arbitrary SQL queries throughout the proprietor’s whole GCP challenge.
Alternatively, a sufferer creates a report as public or shares it with a particular recipient, and makes use of a JDBC-connected information supply equivalent to PostgreSQL. On this situation, the attacker can reap the benefits of a logic flaw within the copy report function that makes it doable to clone experiences whereas retaining the unique proprietor’s credentials, enabling them to delete or modify tables.
One other high-impact path detailed by the cybersecurity firm concerned one-click information exfiltration, the place sharing a specifically crafted report forces a sufferer’s browser to execute malicious code that contacts an attacker-controlled challenge to reconstruct whole databases from logs.
“The vulnerabilities broke the elemental promise {that a} ‘Viewer’ ought to by no means be capable of management the information they’re viewing,” Matan stated, including they “might have let attackers exfiltrate or modify information throughout Google providers like BigQuery and Google Sheets.”
