Google Looker Studio JDBC Connector SQL Injection Vulnerability via Stored Credentials

A critical SQL injection vulnerability has been identified in Google Looker Studio, specifically affecting all JDBC-based connectors. This vulnerability allows users with report view access to copy reports and execute arbitrary SQL commands on the data source database, such as PostgreSQL, using the stored credentials from the original report owner. The issue arises from improper privilege management when reports are copied, enabling unauthorized database access and manipulation.

Impact

Exploitation of this vulnerability allows for arbitrary SQL execution on the connected database, bypassing the intended permission model. This could lead to unauthorized data manipulation, including insertion, deletion, and exfiltration of data.

Reproduction

To reproduce this vulnerability, a user must access a report with view-only permissions and make a copy of it. After copying the report, the user can edit the PostgreSQL data source, access all connected database tables, and use the 'Custom Query' feature to execute malicious SQL queries. The injected SQL will run using the database credentials stored with the original report, which the user does not have direct access to.

Remediation

Google has patched this vulnerability, and the fix is now in production.