Researchers Disclose Nine Cross-Tenant Vulnerabilities in Google Looker Studio

Cybersecurity researchers have disclosed nine cross-tenant vulnerabilities in Google Looker Studio, the business intelligence and data visualization platform within Google Cloud, that could have allowed attackers to run arbitrary SQL queries on other organizations' databases and exfiltrate sensitive data.

The Vulnerabilities

The nine flaws collectively enabled a cross-tenant attack chain where an attacker with access to one Google Cloud organization could pivot to access data belonging to other organizations sharing the same Looker Studio infrastructure. The vulnerabilities included insufficient input validation in data source connectors, authorization bypass in shared dashboard links, and server-side request forgery (SSRF) flaws that could be chained to access internal Google Cloud APIs that should not have been reachable from Looker Studio.

Impact Assessment

In the worst-case scenario, an attacker could use the vulnerability chain to execute arbitrary SQL queries against databases connected to a victim organization's Looker Studio instance — potentially exfiltrating customer data, financial records, or other sensitive information stored in Cloud SQL, BigQuery, or external databases connected through Looker's data source integrations. Google confirmed that it found no evidence of exploitation in the wild before the vulnerabilities were patched.

Remediation

Google patched all nine vulnerabilities through server-side updates that required no customer action. The company awarded bug bounties to the researchers who discovered the flaws and updated its security review processes for Looker Studio's data source connector framework. The disclosure highlights the security risks inherent in multi-tenant SaaS platforms that provide database connectivity — each data source connection creates a potential path from the shared platform to a customer's sensitive data stores.