Tell HN: Fiverr left customer files public and searchable

831 points by morpheuskafka ↗ HN
Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.

Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.

Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.

Example query: site:fiverr-res.cloudinary.com form 1040

In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.

Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.

71 comments

[ 2.7 ms ] story [ 63.6 ms ] thread
You followed the correct reporting instructions.

https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."

Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
I want to believe that it's people keeping mum until it's fixed so that the leaked PII isn't spread more widely, minimize the risk of bad actors scraping it all.

Once the leak is plugged, I would hope that Fiverr gets absolutely raked over the coals, this is egregious.

(comment deleted)
Woah that's brutal all the important information is wild in public
They bought and.co and then dropped it. strange company
This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
(comment deleted)
this is a bad leak, appreciate the attempts at disclosure before this
(comment deleted)
Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
Unfortunately everything is going in the opposite direction.

We are in the age of AI-slop AI-everything AI-break-it AI-fix-it.

Software companies are competing with each other on how low they can push the quality and still get away with it.

There's no reward or incentive for paying attention to the details or the quality. In fact you will get penalised for it.

This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
I wrote to security@fiverr.com and they just replied:

"You’re the second person to flag this issue to us

Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"

I guess they used Fiverr for security
Wow, the other comments weren't exaggerating. This is really bad. If my tax returns or other data were part of this, I might consider legal action.

I wonder if somewhere like Wired/Ars Technica/404media might pick this up?

it's been 5 hours. even manual action to take down the most sensitive files should have completed about 3 hours ago at most. what is happening.
Wow this is really really bad. Insane this hasn't been fixed yet, media outlets are going to have a fun time with this story