{"id":214,"date":"2026-03-10T14:10:17","date_gmt":"2026-03-10T14:10:17","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=214"},"modified":"2026-03-10T14:10:17","modified_gmt":"2026-03-10T14:10:17","slug":"new-leakylooker-flaws-in-google-looker-studio-could-enable-cross-tenant-sql-queries","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=214","title":{"rendered":"New \u00abLeakyLooker\u00bb Flaws in Google Looker Studio Could Enable Cross-Tenant SQL Queries"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>Mar 10, 2026<\/span><\/span>Database Security \/ Vulnerability<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims’ databases and exfiltrate sensitive data within organizations’ Google Cloud environments.<\/p>\n

The shortcomings have been collectively named LeakyLooker<\/strong> by Tenable. There is no evidence that the vulnerabilities were exploited in the wild. Following responsible disclosure in June 2025, the issues have been addressed by Google.<\/p>\n

The list of security flaws is as follows –<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

\u00abThe vulnerabilities broke fundamental design assumptions, revealed a new attack class, and could have allowed attackers to exfiltrate, insert, and delete data in victims’ services and Google Cloud environment,\u00bb security researcher Liv Matan said<\/a> in a report shared with The Hacker News.<\/p>\n

\u00abThese vulnerabilities exposed sensitive data across Google Cloud Platform (GCP) environments, potentially affecting any organization using Google Sheets, BigQuery, Spanner, PostgreSQL, MySQL, Cloud Storage, and almost any other Looker Studio data connector.\u00bb<\/p>\n

Successful exploitation of the cross-tenant flaws could enable threat actors to gain access to entire datasets and projects across different cloud tenants.<\/p>\n

Attackers could scan for public Looker Studio reports or obtain access to private ones that use these connectors (e.g., BigQuery) and seize control of the databases, allowing them to run arbitrary SQL queries across the owner’s entire GCP project.<\/p>\n

Alternatively, a victim creates a report as public or shares it with a specific recipient, and uses a JDBC-connected data source such as PostgreSQL. In this scenario, the attacker can take advantage of a logic flaw in the copy report feature that makes it possible to clone reports while retaining the original owner’s credentials, enabling them to delete or modify tables.<\/p>\n

Another high-impact path detailed by the cybersecurity company involved one-click data exfiltration, where sharing a specially crafted report forces a victim’s browser to execute malicious code that contacts an attacker-controlled project to reconstruct entire databases from logs.<\/p>\n

\u00abThe vulnerabilities broke the fundamental promise that a ‘Viewer’ should never be able to control the data they are viewing,\u00bb Matan said, adding they \u00abcould have let attackers exfiltrate or modify data across Google services like BigQuery and Google Sheets.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

\ue804Ravie Lakshmanan\ue802Mar 10, 2026Database Security \/ Vulnerability Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio that could have permitted attackers to run arbitrary SQL queries on victims’…<\/p>\n","protected":false},"author":1,"featured_media":215,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[561,369,11,2,558,559,109,562,560],"class_list":["post-214","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-crosstenant","tag-enable","tag-flaws","tag-google","tag-leakylooker","tag-looker","tag-queries","tag-sql","tag-studio"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/214","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=214"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/214\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/215"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=214"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=214"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=214"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}