Google Looker Studio SQL Injection Vulnerability Allowing Data Exfiltration from BigQuery
Vulnerability
A SQL injection vulnerability in Google Looker Studio has been identified, allowing attackers to exfiltrate data from BigQuery data sources. By creating a malicious report with native functions enabled and having the victim access it, an attacker could execute injected SQL queries using the victim's permissions in BigQuery. The vulnerability exploited Looker Studio's SQL filtering by using comments to bypass restrictions, enabling the injection of custom SQL queries that could blind exfiltrate data character by character from accessible BigQuery datasets.
Impact
Exploitation of this vulnerability allowed for unauthorized data access and exfiltration from BigQuery, using the victim's credentials and permissions.
Reproduction
To reproduce this vulnerability, create a BigQuery dataset and table, or use a public dataset. Set up an 'attacker' dataset with tables for each character and number, sharing it for cross-tenant access. Then, create a Looker Studio report connected to the victim's BigQuery data source, inserting a malicious SQL injection formula that exploits the native functions feature. After publishing the report, data can be exfiltrated by accessing the report as the victim.
Remediation
Google has patched this vulnerability, and no customer action is needed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.