Fiverr Exposes Private Information of its Users Publicly on Google Search Results

A security researcher on Hacker News claims that sensitive documents like tax forms shared between Fiverr users in private messages ended up publicly indexed by search engines like Google.

Fiverr uses a third-party service to process and serve PDF documents and images in the built-in messaging feature called Cloudinary. The researcher points out that Cloudinary acts like an S3, serving the images and files directly to users.

“Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.”

As of the writing of this article, the documents are still publicly indexed by Google.

You can try it out yourself using the example search query site:fiverr-res.cloudinary.com form 1040 or any other keywords.

The researchers also claims that “Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.”

They say they responsibly disclosed the issue to Fiverr 40 days ago via their designated vulnerability email, security@fiverr.com, but they got no response.

“Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.”

In a reply to a Cybernews on X, Fiverr responded to the claims:

In Cybernews’ article on the subject, they point out that, ironically, Fiverr’s own ISO 27001 certification for information security, expired of course.

The research team at Cybernews analyzed the problem and independently confirmed the claims.

Aras Nazarovas, an information security researcher at Cybernews, said “this is a major security lapse by Fiverr, due to the links being publicly accessible and indexable, a lot of resources are already indexed by Google. Essentially all files that were shared between service buyers and sellers, including personal identity documents, sensitive contracts, passwords, and API keys shared with contractors, finished and work-in-progress deliverables.”

It’s disappointing to see Fiverr deny the security implications of publicly listing personal details of its users. It would be bad if it was just private messages, but due to the nature of the platform there’s an abundance of the most sensitive data that would be maximally devastating to leak.