Experts reveal 'LeakyLooker' flaws let hackers gain access to user information in Google Looker Studio, so be on your guard

News
By published

Nine bugs were found in Google's Looker Studio

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • Tenable uncovers nine Looker Studio flaws dubbed LeakyLooker
  • Bugs enabled cross-tenant SQL injection and credential leaks
  • Google patched all vulnerabilities; users urged to review report access

A series of nine vulnerabilities in Google Looker Studio can be used to run arbitrary SQL queries against target databases and pull sensitive data from people’s Google Cloud environments, experts have revealed.

Security researchers Tenable found the flaws, dubbed LeakyLooker, which exposed sensitive data across Google Cloud environments, affecting those who are using pretty much any Looker Studio data connector, including Google Sheets, PostgreSQL, MySQL, and others.

“Achieving full isolation while providing live data is a difficult task that can be flawed,” Tenable said in its findings, adding that the tool’s "Live Data" architecture, designed for real-time report updates, was a real Achilles' heel. “Attackers could exploit this through 0-click (no victim interaction) and 1-click (victim opens a malicious website controlled by the attacker) vulnerabilities.”

Article continues below

Looker Studio issues

Looker Studio is a free data visualization and reporting tool from Google that lets people turn raw data into interactive dashboards and reports. It is quite popular, too, as the broader Looker product family has more than 10 million monthly users.

Here is a brief overview of the bugs Tenable uncovered:

  • Cross Tenant Unauthorised Access - Zero-Click SQL Injection on Database Connectors - TRA-2025-28
  • Cross Tenant Unauthorised Access - Zero-Click SQL Injection Through Stored Credentials - TRA-2025-29
  • Cross Tenant SQL Injection on BigQuery Through Native Functions - TRA-2025-27
  • Cross Tenant Data Sources Leak With Hyperlinks - TRA-2025-40
  • Cross Tenant SQL injection on Spanner and BigQuery Through Custom Queries on a Victim’s Data Source - TRA-2025-38
  • Cross Tenant SQL Injection on BigQuery and Spanner Through the Linking API - TRA-2025-37
  • Cross Tenant Data Sources Leak With Image Rendering - TRA-2025-30
  • Cross Tenant XS Leak on Arbitrary Data Sources With Frame Counting and Timing Oracles - TRA-2025-31
  • Cross Tenant Denial of Wallet Through BigQuery - TRA-2025-41

The most worrying among the vulnerabilities was the “Sticky Credential” logic flaw in the “Copy Report” feature, that unauthorized attackers could use to clone reports while keeping the original owner’s credentials.

Google has since patched all nine bugs globally, and Tenable recommends users regularly review who has “View” access to both public and private reports.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.