Google Looker Studio SQL Injection Vulnerability in BigQuery Reports
Vulnerability
A SQL injection vulnerability exists in Google Looker Studio reports that use BigQuery as a data source. This issue allows users with report view access to inject malicious SQL that executes with the report owner's permissions. The vulnerability arises from improper sanitization of user input in the batchedDataV2 HTTP request, enabling attackers to manipulate dynamically generated column aliases and execute arbitrary SQL queries. Exploitation could lead to unauthorized data access, modification, or deletion.
Impact
Exploitation of this vulnerability could allow for arbitrary SQL execution on behalf of the report owner, potentially leading to unauthorized data access, modification, or deletion.
Reproduction
To reproduce this vulnerability, access a vulnerable Looker Studio report with BigQuery as the data source. Intercept the batchedDataV2 request and inject SQL commands into the JSON values. After sending the modified request, refresh the report to execute the injected SQL on the report owner's data.
Remediation
Google has patched this vulnerability, and no customer action is needed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.