Fiverr Exposes User Data to Google Indexing
Key Takeaways Fiverr has inadvertently exposed sensitive user files, including tax documents, to public Google search indexing. The exposure stems from a misconfiguration of Fiverr’s...
Key Takeaways
- Fiverr has inadvertently exposed sensitive user files, including tax documents, to public Google search indexing.
- The exposure stems from a misconfiguration of Fiverr’s third-party file-hosting service, Cloudinary, which generated public, rather than authenticated, URLs for attachments.
- Personal identifiable information (PII) from both freelancers and clients is at risk of public access, potentially violating data protection regulations like the FTC Safeguards Rule and GLBA.
- Fiverr has yet to publicly address the issue or implement a fix, despite a responsible disclosure made 40 days prior to public revelation.
Freelance services giant Fiverr is currently facing a significant privacy crisis after researchers uncovered sensitive customer files readily accessible and indexed by Google search engines. This incident puts personal identifiable information (PII) at risk for countless users.
Table Of Content
A recent disclosure on Hacker News detailed how an improperly configured file-hosting system made private documents, including completed tax forms exchanged between freelancers and clients, publicly available.
The Cloudinary Misconfiguration
The core of this data exposure lies in Fiverr’s internal messaging system’s approach to file sharing. The platform utilizes Cloudinary, a third-party service, to manage and host images and PDF documents, including final deliverables sent to clients.
While Cloudinary offers functionalities akin to Amazon S3 storage buckets, supporting secure, expiring web links, Fiverr’s implementation reportedly failed to leverage these security features. Instead of requiring authentication for access, Fiverr allegedly configured the service to generate fully public URLs for these sensitive attachments. This oversight allowed search engines, including Google, to crawl and index these files, making them discoverable by anyone.
The presence of these files in public search results suggests that the public links might have been inadvertently exposed through unprotected HTML pages within Fiverr’s network.
The ramifications of this misstep are considerable. Specific Google search queries can allegedly unearth private documents. For instance, a site-specific search for “form 1040” on Fiverr’s Cloudinary domain reportedly reveals private tax documents containing highly sensitive financial and personal data.
The researcher highlighted a notable irony: Fiverr actively invests in Google Ads for tax preparation services, yet the platform failed to secure the very financial work products resulting from these services. This exposure immediately raises concerns about regulatory compliance. By not adequately securing financial documents, Fiverr and its associated tax preparation freelancers could be in breach of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), both of which mandate stringent protections for consumer financial data.
The researcher who identified the vulnerability claims to have adhered to standard responsible disclosure protocols. A comprehensive vulnerability report was submitted to Fiverr’s designated security team 40 days prior to public disclosure. Following a lack of response or remediation efforts from the company, the researcher decided to publish the findings on Hacker News to alert affected users.
What You Should Do
- Cease sensitive document transfers: Both freelancers and clients should immediately stop sending highly sensitive documents, such as tax forms, government IDs, or medical records, through Fiverr’s internal messaging system.
- Monitor for identity theft: Clients who have previously engaged freelancers for financial or tax preparation services on Fiverr should actively monitor their credit reports and financial accounts for any suspicious or unauthorized activity.
- Review past communications: Users should review their past Fiverr communications to identify any sensitive documents that may have been shared and assess their potential exposure.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.