Tenable Research has identified two major security vulnerabilities, collectively dubbed “LookOut”, in Google Looker, a widely used business intelligence platform with adoption by over 60,000 companies across 195 countries. These vulnerabilities could allow attackers to hijack entire systems or exfiltrate sensitive corporate data.

The most critical discovery is a Remote Code Execution (RCE) chain, which enables attackers to take full control of a Looker server by executing malicious commands remotely. This vulnerability could grant adversaries the “keys to the kingdom,” allowing them to steal secrets, manipulate critical business data, or move laterally within corporate networks. In cloud-hosted instances, this could even result in cross-tenant access, escalating the potential impact.

“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information,” said Liv Matan, Senior Research Engineer at Tenable, who led the discovery. “A breach could allow attackers to manipulate data or penetrate deeper into a company’s private network.”

The second vulnerability allows attackers to exfiltrate Looker’s internal management database. By tricking the system into connecting to its own management backend, researchers demonstrated how sensitive user credentials and configuration secrets could be extracted.

While Google has promptly addressed the issue for its managed cloud service, organizations hosting Looker on private servers or on-premises hardware remain at high risk. These organizations must manually apply security patches to safeguard their infrastructure against potential administrative takeover.

“Given that Looker is often the central hub for an organization’s most sensitive data, securing its architecture is crucial,” added Matan. “However, providing powerful capabilities like executing SQL queries while maintaining airtight security remains a significant challenge.”

Monitoring and Mitigation
Tenable recommends administrators actively monitor their Looker environments for indicators of compromise, including:

  • Inspecting the .git/hooks/ directory in Looker project folders for unauthorized scripts such as pre-push, post-commit, or applypatch-msg.

  • Reviewing application logs for unusual SQL errors or patterns indicative of error-based SQL injection targeting internal Looker connections (e.g., looker__ilooker).

For a complete technical breakdown of both “LookOut” vulnerabilities, visit the Tenable blog.

About Tenable
Tenable® is the exposure management company, helping organizations identify and close cybersecurity gaps that erode business value, reputation, and trust. Its AI-powered exposure management platform provides unified visibility and actionable insights across IT infrastructure, cloud environments, and critical infrastructure. Tenable protects approximately 44,000 customers worldwide, reducing risk and safeguarding enterprise operations. Learn more at tenable.com.