Google Looker hit by severe security vulnerabilities

Tenable Research has identified two major vulnerabilities, collectively referred to as “LookOut”, in Google Looker, a widely used business intelligence platform serving more than 60,000 organisations across 195 countries. The flaws could allow attackers to take control of affected systems or gain access to sensitive corporate information.

The most serious issue involves a remote code execution (RCE) chain that enables attackers to run malicious commands on a Looker server from a remote location. This could allow them to assume full control of the system, access confidential data, manipulate analytics, or move laterally within internal networks. In cloud-based deployments, the vulnerability could also create the risk of cross-tenant access, potentially exposing data belonging to multiple customers.

“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company’s private internal network,” said Liv Matan, Senior Research Engineer at Tenable, who led the research.

The second vulnerability allows attackers to extract Looker’s internal management database in its entirety. By deceiving the system into connecting to its own internal components, researchers were able to use a specialised data extraction technique to obtain user credentials, configuration details, and other sensitive information.

Google has moved quickly to secure its managed cloud-based Looker service. However, the risk remains significant for organisations that operate the platform on private servers or on-premises infrastructure. These users are responsible for applying security patches themselves and must ensure that updates are implemented promptly to prevent potential system compromise.

“Given that Looker is often the central nervous system for an organisation’s most sensitive data, the security of its underlying architecture is crucial. However, it remains challenging to secure such systems while still providing powerful capabilities, such as running SQL queries or indirect interaction with the managing instance’s file system,” Matan added.

To reduce the risk of exploitation, system administrators are advised to monitor their environments for signs of unauthorised activity. This includes checking project directories for unexpected files, particularly within the .git/hooks/ folder, and reviewing scripts such as pre-push, post-commit, or applypatch-msg that may indicate tampering. Security teams should also analyse application logs for evidence of abnormal internal connections, including unusual SQL errors or patterns linked to attempted injection attacks targeting internal databases such as looker__ilooker.

These findings highlight the growing importance of securing analytics and data platforms that play a central role in organisational decision-making. As such systems continue to expand in scale and complexity, maintaining strong security practices remains critical to protecting sensitive business information.