[BUG]: S3 bucket image link takeover in a public GitHub repository i.e https://github.com/googledatastudio/ds-data-registry can lead to arbitrary malicious code injection

[bhartisaurav]

S3 bucket image link takeover in a public GitHub repository i.e https://github.com/googledatastudio/ds-data-registry.

Hi team,

Recently, while going through make.com company github code i came across a your ds-data-registry repo which is forked by them. This repository contains data sources in following format:

{
  "id": "SOURCE_ID",
  "name": "Source name",
  "categories": ["CATEGORIES"],
  "organization": "ORG_NAME",
  "iconUrl": "https://imageUrl",
  "sourceUrl": "https://sourceUrl",
  "dataVisibility": ["PRIVATE"]
}

Icon link: https://s3.eu-west-3.amazonaws.com/googledatastudio/magnetis-ico.png (bucket => googledatastudio)

When I try to download the files from the bucket it shows that "no such bucket exist".
This icon URL must be updated or removed immediately from your github repo even if its yours or someothers or in use or not, as if users to access this icon url even if mistake could be fatal as this icon URL points to an unknown unclaimed s3 bucket. It can lead the user to XSS or arbitrary malicious code injection at users end or in worst case can lead RCE also. For safety purpose i took over the bucket.

Steps to reproduce:

1. Go to link : https://github.com/googledatastudio/ds-data-registry

2. Search s3.eu-west-3.amazonaws.com/googledatastudio and you will see the icon links.

3. Now when you to open the link it will show access denied:

4. Before it shows this (no such bucket):

Impact:

1. This icon URL points to an unknown unclaimed s3 bucket which could be fatal for the users. It can easily lead the user to XSS or arbitrary code injection at users end or in worst case can lead RCE also

2. 2. For doing arbitrary code injection attacker can replace requested files with malicious files. OR attacker can redirect all user request to this bucket to someother bucket or attacker controlled websites. For information about redirect request you can refer to this aws-doc

You can also view this POC video which i made just to show impact only using test s3 bucket.

POC-xss-and-arbitrary-code-injection-for-impact-testing-only

In this video i have shown small scenario only but attacker can escalate it to some other severe vulnerabilities.

3. Public Perception: If this repository belongs to a high-profile organization (e.g., Google Data Studio), a missing or misconfigured resource could signal poor quality assurance practices and reduce user trust.

4. Loss of Credibility: Other developers or organizations using this code might view the repository as unreliable, especially if this bug leads to a visible issue.

POC:

1. Open the link: https://s3.eu-west-3.amazonaws.com/googledatastudio/proof.txt

2. All POC images are attached with same name as mentioned above and also find the same report in pdf format.

Remediation:

1. Remove the bucket link from icon link or replace it with another bucket link.

2. If you want the same bucket I will delete/unclaim the bucket.