Google Cloud Platform (GCP) Cloud Monitoring Cross-Tenant BigQuery Leak with Custom Dashboard

Tenable Research disclosed a data exfiltration vulnerability in Google Cloud Monitoring that allowed attackers to leak sensitive data from victim's BigQuery datasets. The flaw abused Observability Analytics widgets in custom dashboards that executed with viewer's permissions. Attackers could create malicious SQL queries in dashboard widgets that raised errors containing victim's private BigQuery data, which would be exfiltrated to the attacker's project logs when the victim browsed the shared dashboard. The vulnerability required the attacker to grant IAM permissions to the victim in their tenant and trick them into viewing the malicious dashboard.