Non-existent S3 bucket image link in a public GitHub repository i.e https://github.com/googledatastudio/ds-data-registry.

Hi team,

Recently, while going through make.com company github code i came across a your ds-data-registry repo which is forked by them. This repository contains data sources in following format:

{
  "id": "SOURCE_ID",
  "name": "Source name",
  "categories": ["CATEGORIES"],
  "organization": "ORG_NAME",
  "iconUrl": "https://imageUrl",
  "sourceUrl": "https://sourceUrl",
  "dataVisibility": ["PRIVATE"]
}

Icon link: https://s3.eu-west-3.amazonaws.com/googledatastudio/magnetis-ico.png (bucket => googledatastudio)

When I try to download the files from the bucket it shows that "no such bucket exist". So, I was successfully able to take over the bucket. So through this attacker can act as an imposter and let the user download dangerous file from bucket at users end which could be fatal(like XSS,RCE) for your organization as you are using it.

Steps to reproduce:

1. Go to link : https://github.com/googledatastudio/ds-data-registry

2. Search s3.eu-west-3.amazonaws.com/googledatastudio and you will see the icon links.

bucket-link

3. Now when you to open the link it will show access denied:

AccessDenied

4. Before it shows this (no such bucket):

NoSuchBucket

Impact:

1. Easily deceives the user and download dangerous files which could leads to XSS and RCE at the user/developer end which could be fatal for the organization.

XSS-impact // I have removed this xss file from bucket. This is just for impact only.

2. Public Perception: If this repository belongs to a high-profile organization (e.g., Google Data Studio), a missing or misconfigured resource could signal poor quality assurance practices and reduce user trust.

3. Loss of Credibility: Other developers or organizations using this code might view the repository as unreliable, especially if this bug leads to a visible issue.

POC:

1. Open the link: https://s3.eu-west-3.amazonaws.com/googledatastudio/proof.txt

POC-image

2. All POC images are attached with same name as mentioned above and also find the same report in pdf format.

Remediation:

1. Remove the bucket link from icon link or replace it with another bucket link.

2. If you want the same bucket I will delete/unclaim the bucket.