Tenable Finds Critical Flaws in Google Looker Used by 60,000 Companies

Tenable Research disclosed two critical security vulnerabilities in Google Looker that could allow attackers to hijack systems or access corporate data across more than 60,000 companies using the business intelligence platform in 195 countries, according to a company report released this week.

The vulnerabilities, collectively dubbed "LookOut," come amid rising concerns about supply chain security in enterprise software. Business intelligence platforms like Looker have become prime targets for cyber attackers because they aggregate sensitive data from across organizations, making a single breach potentially catastrophic.

The more severe vulnerability is a Remote Code Execution chain that enables attackers to gain full control of a Looker server by executing malicious commands remotely, according to the research. This access allows attackers to extract sensitive credentials, manipulate data, or penetrate deeper into internal networks. In cloud deployments, the flaw could enable cross-tenant access, meaning attackers could potentially jump from one customer's environment to another's, the report stated.

"This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company's private internal network," said Liv Matan, senior research engineer at Tenable who led the investigation.

The second vulnerability permits complete theft of Looker's internal management database, according to the findings. Researchers exploited the flaw by tricking the system to connect to its own database, then used a data-extraction technique to download user credentials and configuration data, the Tenable report explained.

Google acquired Looker in 2020 for $2.6 billion and integrated it into its Google Cloud Platform, positioning it as a key tool for enterprise data analytics. Google has patched the vulnerabilities in its managed cloud service, according to Tenable. However, organizations running Looker on private servers or on-premises hardware must manually apply security patches, as they manage their own infrastructure security.

This creates a split-risk scenario where cloud customers are protected, but self-hosted deployments remain vulnerable until IT teams act, security experts note.

"Given that Looker is often the central nervous system for an organization's most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance's file system," Matan said in the report.

To detect potential attacks, Tenable provided specific technical guidance for security teams. The company recommended administrators check for indicators of compromise by inspecting file systems for unauthorized files in the. git/hooks/ directory of Looker project folders, particularly scripts named pre-push, post-commit, or applypatch-msg. Security teams should also examine application logs for unusual SQL errors or patterns consistent with error-based SQL injection targeting internal Looker database connections, the company stated.

Tenable, describes itself as an exposure management company, serves approximately 44,000 customers globally. The company did not specify when it initially discovered the vulnerabilities or when it notified Google.

Google did not immediately respond to questions about the timeline for the vulnerability disclosure or whether any exploitation has been detected. The company also did not confirm how many self-hosted Looker deployments remain unpatched.