CVE-2024-5166
📋 TL;DR
An Insecure Direct Object Reference vulnerability in Google Cloud Looker allows authenticated users sharing the same LookML model to access metadata they shouldn't be authorized to view. This enables information disclosure across user accounts within the same Looker instance. Organizations using Looker with shared LookML models are affected.
💻 Affected Systems
- Google Cloud Looker
📦 What is this software?
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
Looker by Google
⚠️ Risk & Real-World Impact
Worst Case
Sensitive metadata containing business intelligence, user data patterns, or proprietary analytics logic could be exposed to unauthorized users, potentially enabling further attacks or competitive intelligence gathering.
Likely Case
Unauthorized access to metadata about queries, dashboards, or user activity patterns, potentially revealing business operations or data relationships.
If Mitigated
Limited exposure of non-sensitive metadata with proper access controls and model segmentation in place.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of shared LookML models; no public exploit code available
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references; Google Cloud Looker service updates automatically
Vendor Advisory: https://cloud.google.com/looker/docs/best-practices/query-id-update-instructions
Restart Required: No
Instructions:
1. Ensure Google Cloud Looker is updated to latest version. 2. Follow Google's query ID update instructions at provided URL. 3. Review and update LookML model access controls.
🔧 Temporary Workarounds
Implement strict model access controls
allLimit LookML model sharing to only necessary users and implement principle of least privilege
Segment sensitive models
allCreate separate LookML models for different user groups to limit cross-user metadata exposure
🧯 If You Can't Patch
- Implement strict access controls and audit all LookML model sharing permissions
- Monitor for unusual metadata access patterns and implement additional logging
🔍 How to Verify
Check if Vulnerable:
Check if multiple authenticated users can access metadata across shared LookML models they shouldn't have access toCheck Version:
Check Looker version in admin console or via Google Cloud ConsoleVerify Fix Applied:
Verify that metadata access is properly restricted according to user permissions after applying Google's updates📡 Detection & Monitoring
Log Indicators:
- Unusual metadata access patterns across user accounts
- Multiple users accessing same LookML model metadata
Network Indicators:
- Increased API calls to metadata endpoints from multiple user accounts
SIEM Query:
Look for: 'looker metadata access' AND 'multiple users' AND 'same model' within short time window