Ethical Hacking News
Cybersecurity researchers have disclosed a multitude of cross-tenant vulnerabilities in Google Looker Studio, which could enable malicious actors to execute arbitrary SQL queries on victims' databases. The "LeakyLooker" vulnerabilities, collectively named by Tenable, were first disclosed in June 2025 and have since been addressed by Google. These security flaws highlight the need for organizations to prioritize robust security measures when protecting sensitive data within their systems.
Cybersecurity researchers discovered multiple cross-tenant security flaws in Google Looker Studio. The vulnerabilities, known as "LeakyLooker," can allow malicious actors to execute arbitrary SQL queries on victims' databases. There are nine separate vulnerabilities within Google Looker Studio that could be exploited by attackers. Vulnerabilities include zero-click SQL injection and data source leaks through hyperlinks. The impact of these vulnerabilities is significant, potentially compromising entire Google Cloud environments.
Cybersecurity researchers have made a startling discovery about a popular data analytics platform, revealing that it is vulnerable to a plethora of cross-tenant security flaws that could potentially allow malicious actors to execute arbitrary SQL queries on victims' databases. The vulnerabilities, collectively known as "LeakyLooker," were first disclosed by Tenable in June 2025 and have since been addressed by Google.
According to the report, there are nine separate vulnerabilities within Google Looker Studio that could be exploited by attackers to gain unauthorized access to sensitive data across multiple cloud tenants. The most concerning of these flaws is the ability to execute arbitrary SQL queries on BigQuery databases through native functions, which could potentially allow attackers to exfiltrate or modify data without being detected.
Another high-impact vulnerability involves the use of zero-click SQL injection on database connectors, which could enable attackers to gain access to entire datasets and projects across different cloud tenants. This means that even if a victim does not intentionally share their Looker Studio report, an attacker could still scan for public reports or obtain access to private ones that use these connectors.
The researchers also highlighted the potential for data sources leak with hyperlinks, which could allow attackers to exfiltrate sensitive information by exploiting vulnerabilities in the platform's data rendering functionality. Furthermore, there is a zero-day vulnerability in arbitrary data sources with frame counting and timing oracles, which could potentially enable attackers to access and manipulate data without being detected.
The impact of these vulnerabilities cannot be overstated, as they have the potential to compromise entire Google Cloud environments and expose sensitive data across multiple organizations. As Liv Matan, a security researcher, noted in a report shared with The Hacker News, "The vulnerabilities broke fundamental design assumptions, revealed a new attack class, and could have allowed attackers to exfiltrate, insert, and delete data in victims' services and Google Cloud environment."
In addition to the potential for data breaches, these vulnerabilities also highlight the importance of robust security measures within Google's own infrastructure. According to Matan, "These vulnerabilities exposed sensitive data across Google Cloud Platform (GCP) environments, potentially affecting any organization using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and almost any other Looker Studio data connector."
The discovery of these vulnerabilities serves as a stark reminder of the importance of ongoing security testing and vulnerability assessments within complex systems like Google Looker Studio. As organizations continue to rely on cloud-based platforms for sensitive data storage and analysis, it is essential that they prioritize robust security measures to protect against such exploits.
In conclusion, the revelation of the "LeakyLooker" vulnerabilities in Google Looker Studio highlights the need for organizations to stay vigilant and proactive when it comes to protecting sensitive data within their systems. As cybersecurity threats continue to evolve and become more sophisticated, it is crucial that we prioritize robust security measures and ongoing testing to prevent such exploits from compromising our digital assets.
Related Information:
https://www.ethicalhackingnews.com/articles/New-LeakyLooker-Flaws-in-Google-Looker-Studio-Could-Enable-Cross-Tenant-SQL-Queries-ehn.shtml
https://thehackernews.com/2026/03/new-leakylooker-flaws-in-google-looker.html
https://securityboulevard.com/2026/03/leakylooker-hacking-google-clouds-data-via-dangerous-looker-studio-vulnerabilities/
Published: Tue Mar 10 11:05:11 2026 by llama3.2 3B Q4_K_M
