Tenable flags ‘LookOut’ flaws in Google Looker

Tenable Research has identified two major vulnerabilities dubbed “LookOut” in Google Looker, warning the flaws could allow attackers to hijack entire systems or steal corporate secrets.

The business intelligence platform is used by more than 60,000 companies in 195 countries, Tenable said, widening the potential impact if organizations fail to patch vulnerable systems.

The most critical finding described by Tenable is a remote code execution chain that could allow attackers to take full control of a Looker server by running malicious commands remotely.

Tenable said that level of access could let intruders steal sensitive secrets, manipulate data, or pivot deeper into internal networks, and in cloud instances could potentially lead to cross-tenant access.

“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company’s private internal network,” said Liv Matan, Senior Research Engineer at Tenable, who led the discovery.

Tenable said the second vulnerability allows for the complete theft of Looker’s internal management database by abusing internal connections and using a data-extraction technique to download sensitive user credentials and configuration secrets.

While Tenable said Google responded quickly to secure its managed cloud service, the company warned that the risk remains high for organizations that host Looker on private servers or on-premises hardware because they must manually apply patches.

“Given that Looker is often the central nervous system for an organization’s most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance’s file system,” said Matan.

Tenable advised administrators to monitor for indicators of compromise by inspecting the file system for unexpected files within the .git/hooks/ directory of Looker project folders, including scripts named pre-push, post-commit, or applypatch-msg.

Tenable also said security teams should examine application logs for signs of internal connection abuse, including unusual SQL errors or patterns consistent with error-based SQL injection targeting internal Looker database connections like looker__ilooker.

For a complete technical breakdown of the “LookOut” vulnerabilities, Tenable directed organizations to the full research report on the Tenable blog.

Tenable described itself as an exposure management company serving about 44,000 customers globally through an AI-powered platform that aims to unify visibility and action across attack surfaces spanning IT, cloud, and critical infrastructure.