Google Looker vulnerabilities uncovered by Tenable Research

Tenable Research has identified two major Google Looker vulnerabilities, collectively named “LookOut,” that could allow attackers to take full control of systems or steal sensitive corporate data. Looker, Google’s business intelligence platform, is used by more than 60,000 organisations across 195 countries.

The findings indicate that successful exploitation could lead to administrative takeover, manipulation of analytics data, or deeper access into internal enterprise networks.

Remote code execution enables full system takeover

The most critical of the Google Looker vulnerabilities is a remote code execution chain that allows attackers to run arbitrary commands on a Looker server from a remote location. This capability effectively gives attackers unrestricted control over the affected system.

Such access could be used to extract sensitive secrets, alter stored data, or pivot into other parts of an organisation’s internal network. In cloud-based environments, the vulnerability could also create the risk of cross-tenant access.

“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company’s private internal network,” said Liv Matan, Senior Research Engineer at Tenable, who led the discovery.

Second flaw enables internal database exfiltration

The second vulnerability uncovered by Tenable allows attackers to steal Looker’s internal management database in full. By manipulating how the platform establishes internal connections, researchers were able to trick Looker into interacting with its own backend systems.

Using a specialised data extraction technique, sensitive information such as user credentials and configuration secrets could be downloaded. This significantly increases the potential impact of an initial compromise.

Managed cloud secured, self-hosted users remain exposed

Google has already addressed the Google Looker vulnerabilities in its managed cloud service. However, organisations that host Looker on private servers or on-premises infrastructure remain at risk until security patches are manually applied.

In these deployments, responsibility for mitigation rests entirely with the organisation, leaving unpatched systems exposed to possible administrative takeover.

“Given that Looker is often the central nervous system for an organization’s most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance’s file system,” Matan said.

Indicators of compromise administrators should review

To detect potential exploitation of the Google Looker vulnerabilities, administrators are advised to inspect their environments for specific indicators of compromise.

These include:

• Unexpected or unauthorised files within the .git/hooks/ directory of Looker project folders

• Suspicious scripts named pre-push, post-commit, or applypatch-msg

• Application logs showing signs of abnormal internal connections

• SQL errors consistent with error-based SQL injection targeting internal databases such as looker__ilooker

These indicators may signal abuse of internal system functionality or ongoing unauthorised access.

Broader implications for analytics platforms

The disclosure highlights the broader risks associated with analytics platforms that operate as central access points for enterprise data. As Looker integrates deeply into business workflows, architectural weaknesses can expose far more than reporting functions.

For organisations running self-managed analytics infrastructure, the findings reinforce the need for timely patching and continuous monitoring of systems that hold sensitive operational data.

Read More: 

Gartner’s top cybersecurity trends for 2026: AI, quantum and regulation

Onix EMEA expansion gains senior leadership

HP and Redington Centre of Excellence supports digital printing adoption