Uncovering Security Threats: Nine Vulnerabilities in Google Looker Studio
A recent investigation has revealed a concerning set of nine cross-tenant vulnerabilities within Google Looker Studio, a prominent cloud-based business intelligence platform previously known as Data Studio. Cybersecurity researchers from Tenable Research dubbed this collection of flaws "LeakyLooker," highlighting the potential for attackers to manipulate or extract sensitive cloud data. The vulnerabilities pose a significant threat as they could affect user data stored across various Google services.
Google Looker Studio is widely utilized for transforming raw data into visually appealing dashboards and reports. The platform seamlessly connects to an array of data sources, including Google BigQuery, Google Sheets, and various SQL databases. Because of its deep integration with Google Cloud infrastructure, researchers assert that it offers an unusually extensive attack surface, making it an attractive target for cybercriminals.
Two Separate Attack Paths
Tenable’s researchers pinpointed weaknesses in the way Looker Studio managed authentication and data connectors. The platform is designed to allow reports to retrieve data using either the report owner’s credentials or the credentials of the viewer, contingent on specific configuration settings. This architectural setup resulted in two distinct attack vectors that could be exploited by malicious actors:
-
Zero-Click Attacks Targeting Owner Credentials: The first path involved the potential for attackers to execute SQL queries using the report owner’s authentication without requiring any action from the owner. This would be achieved through cleverly crafted server-side requests, effectively circumventing standard security protocols.
- One-Click Attacks Targeting Viewer Credentials: The second vector exploited unsuspecting victims. When users opened a manipulated report or link, they could inadvertently execute harmful SQL queries, thus compromising their data without even knowing it.
These malicious capabilities were enabled by several foundational vulnerabilities within the platform, including SQL injection flaws in database connectors, unwanted data leaks via report elements such as hyperlinks or rendered images, and a denial-of-wallet issue impacting BigQuery resources.
Potential Impact and Google’s Response
The implications of these vulnerabilities extend deeply into the connections utilized by Looker Studio reports to access various cloud services. This includes prominent platforms such as BigQuery, Spanner, PostgreSQL, MySQL, Google Sheets, and Cloud Storage. Researchers indicated that attackers could potentially locate publicly accessible reports, using them as gateways to exfiltrate data or manipulate databases by inserting records or deleting tables.
In an illustrative scenario, the report copy feature in Looker Studio would preserve embedded database credentials when a viewer duplicated a report. Consequently, the new report owner could run custom SQL queries using the original database’s authentication credentials, doing so without even being privy to the password.
Upon discovering these vulnerabilities, Tenable promptly reported all nine flaws to Google through a responsible disclosure process. Google collaborated with Tenable to thoroughly investigate these findings and enacted a series of fixes across the platform. It is important to note that as Looker Studio operates as a fully managed service, the patches were rolled out globally, requiring no action from customers to assure their security.
Tenable researchers have emphasized that their findings serve as a crucial reminder regarding how analytics platforms can unexpectedly act as entry points into cloud environments. They advise organizations using these platforms to perform thorough reviews of their report-sharing settings, limit the use of unnecessary connectors, and recognize that Business Intelligence (BI) integrations form an integral part of their security attack surface.
In summary, the discovery of the "LeakyLooker" vulnerabilities serves as a significant wake-up call for businesses leveraging cloud-based analytics platforms. With the implications extending beyond mere data exposure, organizations are urged to reassess their security measures and acknowledge the intricate vulnerabilities that may exist within their data reporting frameworks. The evolving landscape of cyber threats demands vigilance, prompting companies to stay informed and proactive in safeguarding their valuable data assets against potential exploitation.