Researchers at Tenable have disclosed two vulnerabilities, collectively referred to as “LookOut,” affecting Google Looker. Because the business intelligence platform is deployed by more than 60,000 organizations in 195 countries, the flaws could give attackers a path to system takeover or access to sensitive corporate data.
The uncovered vulnerabilities
The most critical discovery, a RCE chain, allows an attacker to take full control of a Looker server by running their own malicious commands remotely. This action essentially provides attackers with the “keys to the kingdom”, allowing them to steal sensitive secrets, manipulate data, or pivot further into the internal network. In cloud instances, the vulnerability could potentially lead to cross-tenant access.
“This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company’s private internal network,” said Liv Matan, Senior Research Engineer at Tenable, who led the discovery.
The second vulnerability the research uncovered allows for the complete theft of Looker’s internal management database. By tricking the system into connecting to its own “private brain,” researchers used a specialized data-extraction technique to download sensitive user credentials and configuration secrets.
What to do?
While Google responded quickly to secure its managed cloud service, the risk remains high for organizations that host Looker on their own private servers or on-premises hardware. These organizations must manually apply security patches, as they currently bear the burden of protecting their infrastructure from potential administrative takeover.
If your Looker instance is self-hosted, you should update to one of the following versions:
- 25.12.30+
- 25.10.54+
- 25.6.79+
- 25.0.89+
- 24.18.209+
Note: releases 25.14 and above are not affected by these security issues.
“Given that Looker is often the central nervous system for an organization’s most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance’s file system,” said Matan.
Indicators of compromise to watch for
Administrators can detect potential exploitation of these vulnerabilities by reviewing their systems for specific indicators of compromise.
First, they should inspect the file system for any unexpected or unauthorized files within the .git/hooks/ directory of Looker project folders, paying close attention to scripts named pre-push, post-commit, or applypatch-msg that may have been placed there by an attacker.
Additionally, security teams should examine application logs for signs of internal connection abuse, specifically searching for unusual SQL errors or patterns consistent with error-based SQL injection targeting internal Looker database connections like looker__ilooker.
