- Extremely bad stuff here. Can't believe it's been 7 hours now and you can still pull up people's complete prepared tax returns right from a Google search. This should be a business-ending breach of trust and good practices, but I worry there's probably a lack of regulatory might or will to make anything happen.
by applfanboysbgon
10 subcomments
- Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
- I am a freelancer on Fiverr, this is VERY concerning. The amount of PII that I have sent over Fiverr, after sending NDA's is potentially all out in the public. I hope there will be accountability for this. IMO Fiverr has had terrible management for years! They simply do not care about their freelancers (and apparently also not about their customers).
- Wow, the other comments weren't exaggerating. This is really bad. If my tax returns or other data were part of this, I might consider legal action.
I wonder if somewhere like Wired/Ars Technica/404media might pick this up?
- You followed the correct reporting instructions.
https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."
- Update: Fiverr denies allegations of a cybersecurity incident on X.
“To be clear, this is not a cyber incident. Fiverr does not proactively expose users’ private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer’s consent before it can be uploaded. As always, any request to remove content is handled promptly by our team.”
by HeliumHydride
1 subcomments
- It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362
by gregsadetsky
3 subcomments
- I wrote to security@fiverr.com and they just replied:
"You’re the second person to flag this issue to us
Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"
by weird-eye-issue
0 subcomment
- This is still live???
- Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
- Remember, if you use Google to access any of this “private” information, you’re a hacker and the state of Missouri might try to arrest you!
https://missouriindependent.com/2021/10/14/missouri-governor...
by qingcharles
0 subcomment
- That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
- really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
- @dang example query feels incredibly doxxy, and feels bad form to link directly to full copies of people's [stuff] and [personal info] as seen on this page :/
I know this is all Fiverr's fault for allegedly missing the responsible disclosure but now is this the ideal way for us to discuss, with these particular examples? I ask not to spare Fiverr, but I would be so mad if I were first for the result in OP or my personal info linked directly...
- There are health stuff too... and they are not even paying attention to this matter
https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...
- it's been 5 hours. even manual action to take down the most sensitive files should have completed about 3 hours ago at most. what is happening.
- The Cloudinary fix that nobody in this thread is naming is actually two lines. Upload the asset with type set to authenticated instead of the default upload type, and generate a signed URL server side with sign_url true whenever alogged in user requests it. Once the asset is authenticated the public URL stops resolving entirely, so even the Google indexed copies go cold. The reason Fiverr cannot just turn this on now is that they already have years of stored messages where every reference is the default public delivery type, and switching the existing media library from public to authenticated breaks every existing URL across the whole platform. That is the architectural brittleness someone upthread was pointing at, and it is also why the only realistic path forward for them is rotating new uploads to authenticated and accepting that the historical exposure is permanent. What would actually catch this category of mistake earlier, an SDK default that refused to upload anything as public unless you opt in?
- I tried to alert other freelancers on Fiver Forums about htis, but my post got deleted on for 'violating community rules'. I don't see how it did violate the rules, suspicious to say the least.
by deepserket
1 subcomments
- Answer from Fiverr:
"To be clear, this is not a cyber incident. Fiverr does not proactively expose users' private information. The content in question was shared by users in the normal course of marketplace activity to showcase work samples, under agreements and approvals between buyers and sellers. This type of content requires the buyer's consent before it can be uploaded. As always, any request to remove content is handled promptly by our team."
https://x.com/fiverr/status/2044389801495773339?s=20
by johnmlussier
1 subcomments
- Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?
This is bad.
- In spite of how the pollies sell it, regulation is the friend of anyone earning less than one million dollars per year. Regulation would fix this. Get on it.
- I guess they used Fiverr for security
by hoofhearted
0 subcomment
- Still publicly available.
Just forwarded this post to a few members of Congress.
- It's been 10 hours and all the links in this comment section still work...
- I've been boycotting Fiverr, so I'm glad I'm not caught up in this. And judging by their response to this issue, I'm glad I've been boycotting it.
- From what I’ve seen, this always ends in some small fine/settlement and “no admission of guilt”. This type of protection is the source of these mishaps.
by yellow_lead
0 subcomment
- The files are deleted now, that was fun while it lasted!
by mellosouls
0 subcomment
- Now being reported more widely, linked back to OP, eg:
https://cyberinsider.com/fiverr-exposes-sensitive-data-via-p...
https://cybernews.com/security/fiverr-leak-exposes-user-ids-...
- Wow this is really really bad. Insane this hasn't been fixed yet, media outlets are going to have a fun time with this story
by impish9208
6 subcomments
- This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
- How big of a client is Fiverr? Surely Cloudinary would have alerts for an enterprise client leaking stuff?
Just insane
- I was scammed on Fiverr myself, so I may be biased, but this feels consistent with the platform incentives I saw firsthand. The dispute process did not seem designed to deal well with coordinated abuse, and weak controls around sensitive files would point to the same broader issue: user safety and data handling do not appear to be high priorities.
by mellosouls
0 subcomment
- For anybody who missed OPs bit at the end:
Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply.
- Woah that's brutal
all the important information is wild in public
- I tried posting a warning to /r/fiverr but the admins removed the post. And the files are STILL public...how in the world is "sitting it out" their course of action?
Edit: I'm beginning to wonder if they might be locked out of their own site at this point. How hard could it be to just shut down the asset server until they get it sorted?
- Fiverr probably hired someone from Fiverr to do the web build security.
by morpheuskafka
1 subcomments
- Files are now returning 404s as of right now, 0900 UTC 4/15.
Would be interesting if someone with an account can check if they are visible to intended users or not, and if so, if their mitigation is robust (signed URLs?).
by sergiotapia
0 subcomment
- This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
by vswaroop04
0 subcomment
- Obvious! They dont care about freelancers
- Looks like the cloudinary links are returning 404 now
by eudamoniac
0 subcomment
- The stock hasn't moved. Puts?
- I don't really see what the issue is here? Someone with access to the URL (either the freelancer or the client) leaked it to Google, Google crawled it. How is this Fiverr's fault? I mean, okay, they could sign URLs, but it's not like they left a folder with directory listing on. Someone with access to the URLs, not them, willingly made the URLs public.
- this is a bad leak, appreciate the attempts at disclosure before this
- They bought and.co and then dropped it. strange company
by BoredPositron
0 subcomment
- Just by scrolling over it that's really rough.
- have you contacted the ftc if their regulation is being violated?
- Yet another in the innumerate examples of privacy statements being completely meaningless. I do think it is important to call this out when it happens, but I'm hardly surprised.
- Given the existing DMCA requests and the fact that Google has become way less aggressive about indexing this stuff, it's clear this has been going on for a while. My guess is they've gutted enough of their internal processes that they literally can't restrict access to these files without breaking their own platform.
You really can't make this shit up: https://www.linkedin.com/feed/update/urn:li:activity:7445526...
The real question is: will Fiverr be the first company to truly crash and burn from an "AI-first" approach? Go LLM, go mayhem!
by iwontberude
1 subcomments
- Loooool what a mess
by preetigagarwal
0 subcomment
- [dead]
- [dead]
- [dead]
by ecommerce_app
0 subcomment
- [dead]
by cheesecaxe666
0 subcomment
- [dead]
- [dead]
by gagagagaga
0 subcomment
- [dead]
- [flagged]
- Bruh this stuff is still public
by popalchemist
0 subcomment
- Burn it to the ground.
- I don't get why disclosing is considered acceptable, it seems like racketeering to me, "pay up or else I'll make this hypothetical issue an actual issue for you"
When I reported an issue and gotten no response, I sat on it for 6 years, reported it again and they took the whole site down without reaching out to me, never quite got it, but if people are doing this, it makes sense not to acknowledge any report and just play deaf.
by walletdrainer
2 subcomments
- > Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII
This is not how Google works.
Hacker News