Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Google Cloud Platform (GCP) Zero-Click Cross-Tenant SQL Injection Vulnerability Through Stored Credentials in Looker Studio

Critical

Synopsis

Tenable Research has identified and responsibly disclosed a critical SQL injection vulnerability in Looker Studio. The vulnerability could have allowed an attacker with only view-level access to a report to execute arbitrary SQL commands on the underlying database.

This vulnerability stems from a flaw in how Looker Studio handles report copying. When a user with "view" permissions copies a report, the new report's data sources retain the stored credentials of the original report owner. This allows the attacker to use the "Custom Query" feature to execute malicious SQL on the connected PostgreSQL database, or other similar database types that store credentials. This bypasses the intended permission model, granting an attacker the ability to insert, delete, and exfiltrate data from the database without ever having had direct access to the credentials.
 

Proof of Concept:

  1. Access a victim’s report with only a view permission.
  2. Copy the report by clicking on the ellipsis → Make a copy → Copy report.
  3. Click Resource → “Manage added data sources” and edit the Postgres SQL data source.
  4. You will see all of the connected tables of the DB.
  5. Press “Custom Query”.
  6. Run a malicious SQL query and press “Reconnect”.

The custom query

The resulting table

  1. The malicious SQL will run behind the scenes with the stored DB credentials you don’t have access to.

Solution

Google has remediated the issue.

Disclosure Timeline

June 3, 2025 - Tenable reports the finding to Google
June 5, 2025 - Google assigns S1 severity
June 6, 2025 - Tenable adds additional details
June 26, 2025 - Google awards a bounty
July 2, 2025 - Tenable asks for updates on the fix
July 15, 2025 - Tenable asks for updates
July 17, 2025 - Google awards a bounty and updates that the product team is working to resolve the issue
July 28, 2025 - Google updates that the bug is fixed but not yet verified
July 31, 2025 - Tenable and Google agree to keep the original disclosure date
August 1, 2025 - Google updates that all bugs have been fixed
August 11, 2025 - Google updates that the fix is in production and asks to let them know when we disclose
August 28, 2025 - Google asks to get the TRA draft, Tenable shares it with them
August 28, 2025 - Tenable delays the publication due to holidays to September 3rd

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2025-29
Credit:
Liv Matan
Affected Products:
GCP Looker Studio
Risk Factor:
Critical

Advisory Timeline

September 3, 2025 - Initial release.