Why Indian enterprises and partners running Google Looker need to act now

Research finds critical vulnerabilities, exposing self-hosted deployments to system takeover and data theft.

Cyber Security Ransomware Email Phishing Encrypted Technology, Digital Information Protected Secured

Indian enterprises and channel partners using Google Looker in self-hosted or on-premises deployments, need to review security posture following the discovery of two critical vulnerabilities in the business intelligence platform.

Dubbed LookOut, the vulnerabilities expose Looker environments to the risk of full system takeover and sensitive data theft.

Looker supports analytics and reporting for over 60,000 companies worldwide, including Indian enterprises, global capability centres, and technology service providers.

Tenable research finds that the most severe issue is a remote code execution (RCE) chain that allows an attacker to remotely run malicious commands on a Looker server.

If exploited, the flaw enables threat actors to gain complete administrative control of the platform, access sensitive secrets, manipulate analytics data, and potentially move laterally into an organisation’s internal network.

In cloud environments, the vulnerability could also expose risks related to cross-tenant access.

Tenable’s senior research engineer, Liv Matan, said this level of access is dangerous because Looker acts as a central nervous system for corporate information.

A breach could allow an attacker to manipulate data or move deeper into a company’s private internal network, he added.

The second vulnerability allows for the complete theft of Looker’s internal management database.

It also identified a second vulnerability that allows attackers to extract Looker’s internal management database.

By abusing internal database connections, attackers could download sensitive information including user credentials and configuration secrets.

Google responds to vulnerabilities

Google responds by securing its managed Looker cloud service.

Organisations running Looker on their own infrastructure remain exposed until they manually apply the required security patches.

This places responsibility for enterprise IT teams, system integrators, and managed service providers supporting these deployments.

"Given that Looker is often the central nervous system for an organization's most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance's file system,” said Matan.

To monitor potential exploitation, administrators should review systems for specific indicators of compromise.

First, they should inspect the file system for any unexpected or unauthorised files within the .git/hooks/ directory of Looker project folders, paying close attention to scripts named pre-push, post-commit, or applypatch-msg that may have been placed there by an attacker.

Additionally, security teams should examine application logs for signs of internal connection abuse, specifically searching for unusual SQL errors or patterns consistent with error-based SQL injection targeting internal Looker database connections like looker__ilooker.

The findings point to the need for timely patching and ongoing monitoring.