logoalt Hacker News

Tell HN: Fiverr left customer files public and searchable

98 pointsby morpheuskafkatoday at 6:56 PM8 commentsview on HN

Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.

Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.

Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.

Example query: site:fiverr-res.cloudinary.com form 1040

In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.

Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email ([email protected]). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.

Comments

impish9208today at 9:29 PM

This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.

show 1 reply
mtmailtoday at 7:15 PM

You followed the correct reporting instructions.

https://www.fiverr.com/.well-known/security.txt only has "Contact: [email protected]" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to [email protected] to receive information about how to participate in our program."

wxwtoday at 7:28 PM

Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...

mraza007today at 8:00 PM

Woah that's brutal all the important information is wild in public

smashahtoday at 9:15 PM

They bought and.co and then dropped it. strange company

popalchemisttoday at 9:06 PM

Burn it to the ground.

BoredPositrontoday at 8:58 PM

Just by scrolling over it that's really rough.

iwontberudetoday at 9:19 PM

Loooool what a mess