In a recent cybersecurity revelation, nine vulnerabilities termed ‘LeakyLooker’ were uncovered in Google Looker Studio, a cloud-based data visualization and business intelligence platform. These flaws could have enabled attackers to execute unauthorized SQL queries, access confidential data, and alter records within Google Cloud services without explicit user consent. Google has since addressed these issues following responsible disclosure.
Understanding Google Looker Studio
Google Looker Studio, previously known as Data Studio, is designed to connect with various live data sources including BigQuery, Google Sheets, and Cloud Storage. It allows for the creation of real-time reports that can be shared via specific user credentials or public links. This powerful feature set, however, also introduced significant security risks.
The vulnerabilities exploited the platform’s permission-sharing model, which is similar to that of Google Docs. The platform supports two authentication methods: Owner Credentials, where data is accessed using the report owner’s authentication, and Viewer Credentials, which require individual user authentication.
The Exploitation Paths
Researchers from Tenable identified two distinct attack paths based on these credential models. The first, termed ‘0-click attacks’, involved exploiting Owner Credentials by crafting server-side requests that manipulated data as if they were the owner, without needing the victim’s interaction. The second, known as ‘1-click attacks’, allowed attackers to use manipulated report links to execute malicious queries when opened by unsuspecting users.
The researchers disclosed nine specific flaws, including zero-click SQL injections and cross-tenant data leaks, highlighting significant vulnerabilities in database connectors and report features.
Details of the Vulnerabilities
One of the most critical vulnerabilities, TRA-2025-28, allowed attackers to run arbitrary SQL commands through BigQuery by manipulating user-controlled column aliases. Using SQL comments and specific functions, they bypassed input filters, enabling unauthorized data access.
Another notable issue, the ‘Sticky Credential’ flaw (TRA-2025-29), was found in the ‘Copy Report’ feature of Looker Studio. This allowed attackers to inherit and misuse the original report owner’s credentials, executing operations like ‘DELETE’ commands without knowing the password.
For 1-click attacks, researchers used Looker Studio’s NATIVE_DIMENSION feature to inject SQL into calculated fields, bypassing keyword filters. This method allowed attackers to extract data systematically, reconstructing entire databases silently.
Preventive Measures and Future Outlook
Though there is no indication these vulnerabilities were exploited in the wild, Google has deployed patches across all Looker Studio services. Security professionals are advised to audit user access, treat BI connectors as critical security components, and revoke unnecessary data source connections.
As cybersecurity threats evolve, continuous monitoring and proactive measures remain essential. Staying informed about platform updates and security patches is crucial for safeguarding sensitive data.
Follow us on Google News, LinkedIn, and X for the latest cybersecurity news. For more information or to share your stories, please contact us.
