Tenable Research has identified two major vulnerabilities dubbed “LookOut,” in Google Looker. The popular business intelligence platform is used by more than 60,000 companies in 195 countries, potentially allowing attackers to hijack entire systems or steal corporate secrets.
The most critical discovery, a Remote Code Execution (RCE) chain, allows an attacker to take full control of a Looker server by running their own malicious commands remotely. This action essentially provides attackers with the “keys to the kingdom”, allowing them to steal sensitive secrets, manipulate data, or pivot further into the internal network. In cloud instances, the vulnerability could potentially lead to cross-tenant access.
“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company’s private internal network,” said Liv Matan, Senior Research Engineer at Tenable, who led the discovery.
The second vulnerability the research uncovered allows for the complete theft of Looker’s internal management database. By tricking the system into connecting to its own “private brain,” researchers used a specialized data-extraction technique to download sensitive user credentials and configuration secrets.
While Google responded quickly to secure its managed cloud service, the risk remains high for organizations that host Looker on their own private servers or on-premises hardware. These organizations must manually apply security patches to close these backdoors, as they currently bear the full burden of protecting their infrastructure from potential administrative takeover.
“Given that Looker is often the central nervous system for an organization’s most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance’s file system,” said Matan.
To monitor for potential exploitation of these vulnerabilities, administrators should review their systems for specific indicators of compromise. First, they should inspect the file system for any unexpected or unauthorized files within the .git/hooks/ directory of Looker project folders, paying close attention to scripts named pre-push, post-commit, or applypatch-msg that may have been placed there by an attacker. Additionally, security teams should examine application logs for signs of internal connection abuse, specifically searching for unusual SQL errors or patterns consistent with error-based SQL injection targeting internal Looker database connections like looker__ilooker.
