Google Cloud Platform (GCP) Cross-Tenant Data Sources Leak With Image Rendering in Looker Studio

Tenable Research has identified and responsibly disclosed a vulnerability in Google's Looker Studio. The vulnerability allowed an attacker to leak sensitive data from a victim's data source through image rendering.

This vulnerability exploited a combination of features within Looker Studio. An attacker could create a malicious report and attach a victim's data source, such as a Google Sheet, using "Viewer's credentials." By then adding a calculated field to a table within the report, the attacker could craft a formula that used the IMAGE function. This function was configured to load an image from an external, attacker-controlled server and append the victim's data to the image's URL as a query string.

When the victim accessed the report, their browser would attempt to load the images from the attacker's server, inadvertently sending the victim's sensitive data along with the request. The attacker could then log these requests on their server, effectively exfiltrating the victim's data row by row. A single click by the victim on the malicious report or the attacker’s website was sufficient to trigger the exploit and compromise their data.

Proof of Concept:

Set up a mock data source for the getColumns HTTP request:

1. Create a Google Sheet spreadsheet, for example, we will name it “Attacker’s spreadsheet.”
2. Populate all columns from A-Z with random data.

Set up the attacker’s report:

1. Create a report.
2. Choose a connector, for example, Google Sheets.
3. Choose the specific data source we just created, “Attacker’s spreadsheet.”
4. Remove the check from the checkbox “Use first row as headers” so you can reference columns by A-Z.

5. Proxy the HTTP requests, and forward the requests, including the getColumns request.
6. Intercept the createBlockDatasource and publishDatasource HTTP requests, and change the id of the sheet from the attacker’s to the victim’s sheet.
7. Click Resource → Manage added data sources → edit the added Google Sheet data source, and change the credentials to Viewer Credentials.

8. Add a chart to the report, preferably a table, by pressing “Add a chart” and choosing a Table.
9. Choose the victim’s data source to be attached to the table chart, the end result should be “No Data Set Access.”
10. Add a calculated field by pressing the table → “Add dimension” → “Add calculated field” and paste the formula attached to this report. Kindly insert your domain (the attacker) in the placeholder.

11. Share the report with the victim, and uncheck the “Notify” checkbox.
12. (Optional) Make the report embeddable by clicking File → Embed report → check “Enable Embedding” and press Done.
13. (Optional) Host a website and iframe the report with the granted iframe when allowing embedding, for example:

<iframe width="600" height="450" src="Looker Studio Overview <attacker’s-report-id>/page/MK5LF" frameborder="0" style="border:0" allowfullscreen sandbox="allow-storage-access-by-user-activation allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox"></iframe>

14. Visit the attacker’s site as the victim, and the data will be exfiltrated.