SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
International Women’s Day
385 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Moody corporate cloud analytics server room cracked shield leak
#
Firewalls
#
Data Analytics
#
Network Security

Tenable reveals 'LookOut' flaws that endanger Google Looker

Fri, 6th Feb 2026
Author image
By Sofiah Nichole Salivio, News Editor

Tenable Research has identified two critical vulnerabilities in Google Looker that could give attackers remote control of affected servers and access to sensitive corporate data.

The security issues, dubbed "Look Out", affect Looker, a business intelligence platform used by more than 60,000 organisations worldwide. Tenable said the flaws could let an attacker take over a Looker server, extract secrets, and use the system as a route into other parts of a corporate network. It also warned of possible cross-tenant access in cloud environments.

Remote control

The most serious issue involves a remote code execution chain. Tenable said an attacker could run malicious commands remotely and gain administrative control over a Looker instance. That level of access would provide broad visibility into, and control over, the data sources and reporting workflows behind dashboards used across an organisation.

"This level of access is particularly dangerous because Looker acts as a central nervous system for corporate information, and a breach could allow an attacker to manipulate data or move deeper into a company's private internal network," said Liv Matan, senior research engineer at Tenable.

Tenable described the remote code execution chain as equivalent to gaining the "keys to the kingdom". It said this access could enable the theft of sensitive secrets, manipulation of data, and lateral movement into internal systems.

Database theft

The second vulnerability allows the extraction of Looker's internal management database. Tenable said it could expose user credentials and configuration secrets stored in the database, which governs how Looker operates and connects to data systems.

The research describes a method that induces the system to connect back to its own internal resources. Tenable said it used a data extraction approach to download information from the management database, including credentials and configuration secrets.

Such information can have value beyond Looker. Credentials and secrets tied to analytics platforms can grant access to databases, cloud services, and internal tools that Looker connects to for reporting and modelling.

Cloud and self-hosted

Google has secured its managed cloud service, according to Tenable, reducing immediate exposure for customers using Google-managed Looker deployments.

Attention now turns to organisations running Looker in self-hosted environments, including private servers and on-premises deployments. Tenable said these organisations must apply patches themselves, and warned the risk remains significant if unpatched systems leave a route to administrative takeover.

The split between managed and self-managed services is a common fault line in enterprise software security. Managed services allow providers to implement fixes centrally, while self-hosted software relies on internal IT and security teams to track, test, and deploy patches, which can introduce delays.

"Given that Looker is often the central nervous system for an organization's most sensitive data, the security of its underlying architecture is crucial; however, it remains difficult to secure such systems while providing users with powerful capabilities like running SQL or indirectly interacting with the managing instance's file system," said Matan.

Detection steps

Tenable outlined indicators of compromise that security teams can use when investigating possible exploitation. It said administrators should inspect the file system for unexpected or unauthorised files in the .git/hooks/ directory of Looker project folders.

It flagged scripts named pre-push, post-commit, or applypatch-msg as potential artefacts. Git hooks can execute scripts during development or deployment workflows, providing a mechanism for persistence or for running unauthorised commands.

Tenable also advised teams to check application logs for signs of internal connection abuse. It said to look for unusual SQL errors or patterns consistent with error-based SQL injection attempts against internal Looker database connections, including looker__ilooker.

For security leaders, the report underscores the role analytics platforms can play in modern environments. BI tools often sit at the intersection of identity systems, data warehouses, and operational databases. They can also store saved credentials, API tokens, and project files that reflect how an organisation's data estate is structured.

The disclosure also shows how threats can spread beyond a single application. If an attacker gains administrative control over a BI server, they may gain access to service accounts and connectors that reach into other systems. Security teams typically treat those connectors as privileged pathways because they can provide read access-and sometimes write access-to sensitive sources.

Tenable expects organisations running self-hosted Looker to review their deployments, apply patches, and audit for signs of compromise using the indicators it described.

Related stories
Terra Security gains first AWS nod for AI threat tests
Dell email mixes payment-style header with promos
Misconfigured Microsoft 365 leaves big firms exposed
Private equity warned over fragile AI foundations
A resilient security culture is built in the flow of work, not the classroom

Top stories

Sama credential leaks raise fears over Meta glasses data
Hexnode debuts device-aware IdP to fuse identity & UEM
Tufin unveils AI assistants & executive security hub
Endor Labs launches AURI to secure AI-driven coding
ShinyHunters claims Woflow breach in supply chain hack