Google Looker Studio was affected by nine high‑impact “LeakyLooker” vulnerabilities that could have allowed attackers to exfiltrate or modify data across multiple Google Cloud services, but all issues have now been patched by Google following responsible disclosure from Tenable Research This article explores vulnerabilities google looker. . Overview of LeakyLooker Tenable Research uncovered nine cross‑tenant vulnerabilities in Google Looker Studio, collectively dubbed LeakyLooker, that broke core isolation guarantees between different Google Cloud tenants.

These flaws could be abused to run arbitrary SQL against victims’ data sources and access datasets across services such as BigQuery, Google Sheets, Spanner, Cloud SQL (PostgreSQL/MySQL), and Cloud Storage through Looker Studio connectors.

Most importantly, the problems made both 0-click and 1-click attack chains possible. This meant that exploitation could happen without any interaction from the victim or just by getting the target to open a fake report or embedded frame. Google fixed all nine security holes in the managed Looker Studio service, so customers don't have to do it themselves.

Researchers created multi-statement BigQuery scripts inside a NATIVE_DIMENSION field that listed table and column metadata, went through string data, and exfiltrated it "blindly" by issuing SELECTs against attacker-controlled public exfil tables. They then used BigQuery access logs to put the victim's data back together.

If a report was shared or made public with settings that were not secure, any organization that used connectors to Google Sheets, BigQuery, Spanner, Cloud SQL, or Cloud Storage could have had their data stolen or queries that destroyed their data. Google has fixed all nine security holes in the managed Looker Studio service after working with Tenable through its Vulnerability Reward Program. Customers don't need to do any patching on their end.

Make Google your preferred source for ZeroOwl