Major Looker Studio Security Flaws Could Have Allowed Cross-Tenant Data Theft

Google Looker Studio Vulnerabilities Could Have Exposed Cloud Databases Across Organizations

Cybersecurity researchers have uncovered a series of serious security weaknesses in Google Looker Studio that could have allowed attackers to access sensitive data stored in organizations’ Google Cloud environments.

According to security firm Tenable, the vulnerabilities were grouped under the name “LeakyLooker.” In total, researchers identified nine cross-tenant security flaws that could have enabled attackers to run unauthorized SQL queries on victims’ databases and potentially extract sensitive information.

Google has confirmed that the issues were fixed after responsible disclosure in June 2025, and there is currently no evidence that attackers exploited the vulnerabilities in real-world attacks.

What Is Google Looker Studio?

Google Looker Studio is a data visualization and reporting platform widely used by organizations to build dashboards connected to various data sources. These connectors include:

  • Google BigQuery
  • Google Sheets
  • Cloud Spanner
  • PostgreSQL
  • MySQL
  • Google Cloud Storage

Because the platform can connect to multiple databases across projects and environments, security flaws in the system can potentially expose large volumes of organizational data.

The “LeakyLooker” Vulnerabilities

Researchers discovered nine separate issues, all involving cross-tenant access risks. In cloud environments, tenants represent different organizations or accounts. These flaws could have allowed one tenant to interact with or manipulate another tenant’s data.

The vulnerabilities identified include:

  • Cross-tenant unauthorized access through zero-click SQL injection in database connectors
  • SQL injection using stored credentials
  • SQL injection affecting BigQuery through native functions
  • Data leakage through hyperlinks embedded in reports
  • SQL injection in Spanner and BigQuery through custom queries
  • SQL injection via the Looker Studio linking API
  • Data exposure through image rendering features
  • Cross-tenant data leaks using timing attacks and frame counting
  • A denial-of-wallet attack affecting BigQuery resources

These issues collectively created a potential pathway for attackers to access or manipulate data stored in connected databases.

How Attackers Could Have Exploited the Flaws

If successfully exploited, attackers might have gained access to large datasets and cloud resources by targeting Looker Studio reports connected to databases.

One possible scenario involved public or shared reports. An attacker could locate a report connected to a database such as BigQuery and use the vulnerabilities to execute malicious SQL queries.

Another attack path involved the “copy report” feature. Due to a logic flaw, an attacker could clone a report while keeping the original owner’s database credentials attached. This could allow the attacker to:

  • Modify database tables
  • Delete records
  • Insert malicious data

Researchers also described a one-click data exfiltration technique, where a specially crafted report could trick a victim’s browser into sending database activity logs to an attacker-controlled system. Those logs could then be used to reconstruct entire datasets.

Why These Vulnerabilities Were Dangerous

According to Tenable researcher Liv Matan, the vulnerabilities broke a key design assumption in Looker Studio.

Normally, a viewer of a report should only be able to see data, not control it. However, the flaws made it possible for attackers to potentially:

  • Extract sensitive information
  • Modify database content
  • Delete critical records
  • Access datasets across multiple cloud tenants

In environments where Looker Studio connects to critical services like BigQuery or Google Sheets, the potential impact could have been significant.

Google’s Response

The vulnerabilities were reported to Google in June 2025 through responsible disclosure. Google addressed the security flaws before they could be widely exploited.

At this time, researchers say there is no indication the vulnerabilities were used in real-world attacks.

However, the discovery highlights how complex integrations between cloud services and analytics tools can create unexpected security risks.

Security Takeaway for Organizations

Organizations that rely on cloud-based analytics tools should take several precautions:

  • Restrict public sharing of analytics reports
  • Carefully manage database connector permissions
  • Monitor unusual SQL query activity
  • Apply the principle of least privilege to cloud resources

Even trusted visualization platforms can become attack surfaces if security boundaries between tenants are not strictly enforced.