Google Cloud Platform (GCP) Zero-Click Cross-Tenant SQL Injection Vulnerability Through Stored Credentials in Looker Studio

Tenable Research has identified and responsibly disclosed a critical SQL injection vulnerability in Looker Studio. The vulnerability could have allowed an attacker with only view-level access to a report to execute arbitrary SQL commands on the underlying database.

This vulnerability stems from a flaw in how Looker Studio handles report copying. When a user with "view" permissions copies a report, the new report's data sources retain the stored credentials of the original report owner. This allows the attacker to use the "Custom Query" feature to execute malicious SQL on the connected PostgreSQL database, or other similar database types that store credentials. This bypasses the intended permission model, granting an attacker the ability to insert, delete, and exfiltrate data from the database without ever having had direct access to the credentials.
 

Proof of Concept:

1. Access a victim’s report with only a view permission.
2. Copy the report by clicking on the ellipsis → Make a copy → Copy report.
3. Click Resource → “Manage added data sources” and edit the Postgres SQL data source.
4. You will see all of the connected tables of the DB.
5. Press “Custom Query”.
6. Run a malicious SQL query and press “Reconnect”.

7. The malicious SQL will run behind the scenes with the stored DB credentials you don’t have access to.