Google Looker hit by serious security flaws that could expose corporate data

Security researchers from cybersecurity firm Tenable have uncovered two major vulnerabilities that could allow attackers to take over entire systems or steal sensitive corporate data. Dubbed “LookOut”, the vulnerabilities affect Google Looker, a popular business intelligence platform used by over 60,000 organisations across 195 countries.

The most severe issue is a Remote Code Execution (RCE) vulnerability, which allows attackers to run malicious commands remotely and gain full control of a Looker server. With this level of access, attackers could steal company secrets, manipulate data, or move further into a company’s internal network. In cloud environments, the flaw could even lead to cross-tenant access, potentially impacting multiple customers.

“This essentially gives attackers the keys to the kingdom. Looker often acts as the central nervous system for corporate data, so a breach could allow attackers to manipulate information or move deeper into private internal networks,” – Liv Matan, Senior Research Engineer at Tenable

The second vulnerability enables attackers to steal Looker’s internal management database. Researchers were able to trick the platform into connecting into its own internal database, and then extract sensitive information such as user credentials and configuration secrets.

Google has since patched the issues in its managed Looker cloud service, but the risk remains for organisations that run Looker on self-hosted or on-premises servers. These users must manually apply the security updates themselves, or risk potential administrative takeover.

Tenable warns that securing platforms like Looker remains challenging due to their powerful features, such as allowing users to run SQL queries or indirectly interact with the system’s file structure.

To detect possible exploitation, administrators are advised to check Looker project folders for unexpected files in the .git/hooks/ directory, especially scripts named pre-push, post-commit, or applypatch-msg. Security teams should also review application logs for unusual SQL errors or signs of internal database abuse involving connections like looker__ilooker.

For the geekier readers out there, a full technical breakdown of the LookOut vulnerability is available on the Tenable blog by clicking here.

Read more of our articles below!