Tell HN: Fiverr left customer files public and searchable

Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.

Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.

Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.

Example query: site:fiverr-res.cloudinary.com form 1040

In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.

Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.

418 points | by morpheuskafka 9 hours ago

35 comments

  • evmaki 1 hour ago
    Extremely bad stuff here. Can't believe it's been 7 hours now and you can still pull up people's complete prepared tax returns right from a Google search. This should be a business-ending breach of trust and good practices, but I worry there's probably a lack of regulatory might or will to make anything happen.
  • pesus 3 hours ago
    Wow, the other comments weren't exaggerating. This is really bad. If my tax returns or other data were part of this, I might consider legal action.

    I wonder if somewhere like Wired/Ars Technica/404media might pick this up?

    [-]
  • applfanboysbgon 5 hours ago
    Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
    [-]
    • morpheuskafka 5 hours ago
      They may be part of it, but as a publicly traded company, there's got to be a at least a few people there with a fancy pedigree (not that that actually means they are good at their job or care). But if such a test existed, they presumably would have passed it.

      They also have an ISO 27001 certificate (they try to claim a bunch of AWSs certs by proxy on their security page, which is ironic as they say AWS stores most of their data while apparently all uploads are on this).

      [-]
      • trollbridge 3 hours ago
        A while ago I had a customer come to me who had a simple Shopify site and fell for a phishing type of attack where someone simply had an email like "shopify_security at gmail" and kept telling her she needed to apply all kinds of changes. They laundered the payments through Fiverr.

        Then they would install WordPress plugins to make the site worse and claim even more "work" was needed.

        I documented the entire thing, including my own credentials, and sent it off to Fiverr. Fiverr's response was everything was fine and there was nothing they could do about it, even though it was obvious fraud.

        Google never did anything about it either, nor did Shopify.

        Given how they handled such a minor situation like that... I guess it shouldn't be surprising they're just asleep at the switch for a major one like this.

    • Aurornis 2 hours ago
      > should require some kind of genuine software engineering certification

      Wouldn't change a thing, other than add another hassle you have to pay for to do your job.

      This is the result of carelessness, not someone who didn't know that private data should be private because they weren't certified.

      [-]
      • applfanboysbgon 2 hours ago
        This is the result of somebody who has no idea how the fuck the tech they're using works. They surely knew it should be private, but they did not know that they were making it publicly available because they were blindly fumbling their way around in a job beyond their competence level. There is a 0% chance this was ordinary carelessness, in the form of "I know better but don't care enough", this is so clearly a case of "I don't know what I'm doing".
        [-]
        • Aurornis 1 hour ago
          Any time someone tries to suggest certification as a solution I ask the same question: How would it have solved this problem?

          Would the certification require someone to take an official certification test for the framework used?

          And therefore we’re only allowed to use frameworks which have certification tests available?

          If you want to write some new software, do you have to generate a certification for it and get that approved so people are allowed to use it?

          Sounds like a great way to force us all to use Big Company approved software because they’re the only ones with pockets deep enough to play all of the certification games

          [-]
          • applfanboysbgon 42 minutes ago
            The fact that you're thinking purely in frameworks is the exact problem that plagues the software industry. Framework-focused development is why we're in this mess; frameworks make it easy for people who don't understand how to program to publish shitty software by copying-and-pasting code and fudging around a few strings or variables to match their use case. That kind of accessibility is great for low-stakes software, letting anyone make interesting toys, but should be completely unacceptable in a professional environment with, for example, people's fucking tax documentation at stake.

            If I had my way, the certification process starts at the bottom of the stack, ie. you should be expected to have a functional knowledge of assembly instructions, memory management, registers, the call stack, and build up from there. Not that we need to write assembly on a daily basis, but all of the abstractions are built on top of that, and you cannot realistically engineer secure software if you don't understand what is being abstracted away. If you do understand the things being abstracted away, you have the fundamentals necessary to do good work with any programming language or framework. Throw in another certification starting from networking fundamentals if your job involves that. 30 years ago, most professional programmers had this level of understanding as table stakes, so we can hardly say it's an unrealistic burden that's impossible to meet.

            Would it be a higher barrier to entry that massively cuts the size of the field working on sensitive software and slows software development down, yes. That is exactly what we need. There was a time when people built bridges that collapsed, then we implemented standards and expected engineers to do real work to make sure that didn't happen. Is that work expensive and expertise-intensive, yes, do bridges still collapse, only very rarely. We are witnessing software bridge collapses on a weekly basis, which should be seen as completely unacceptable. The harm is less obvious than when everyone on a bridge dies, but I do think that routinely leaking millions of people's sensitive data is causing serious harm and likely does lead to people dying in second-order effects.

      • hilariously 1 hour ago
        It's so much worse in the industry, the truth is that many people literally have no idea how to secure things, what to secure, why to secure it - they pay no attention and are plainly ignorant of the state of the world and oftentimes just stupid.

        I worked at a company where a customer called confused because when they googled our company as they did every day to login to their portal they found that drivers licenses we stored were available on the public internet.

        The devs literally didn't know about direct object access and thought obfuscation was enough, didn't know about how robots.txt worked, didn't know about google webmaster shit, didn't know about sitemaps, they were just the cheapest labor the company could find who could do the thing.

        This is a huge portion of outsourced labor in my experience, not because they are worse overseas in any respect, but because the people looking for cheap labor were always looking for the cheapest labor and had no idea how that applied to the actual technical work of running their business.

    • ge96 1 hour ago
      People at my company don't even lock their computer when they walk away from their desk. Which yeah it's in a controlled environment but still.
      [-]
      • SillyUsername 29 minutes ago
        We used to flip display upside down in display options, which also reverses the mouse. We'd then lock the PC and disconnect the keyboard. After they figured out the keyboard had been pulled they often couldn't work out why their screen was upside down...
      • yojo 1 hour ago
        My work has a “donuts” slack channel for this. You find an unlocked computer you post “donuts on me!” Social pressure says they buy the office donuts.

        Still get a few a week, but at least it’s public and amusing.

    • philip1209 1 hour ago
      good thing it's getting easier to code - nothing bad can come of this :-)
    • fnimick 4 hours ago
      At least I'm sure LLM tools deploying code to production won't result in this happening more frequently. "Make sure it's secure. Make no mistakes."
      [-]
      • coldtea 4 hours ago
        "You were right, mistakes have been made!"
    • Loughla 4 hours ago
      Teachers have to be licensed and keep up on licensing.

      Plumbers. Electricians. Lawyers. Doctors. Hell, I have to get a license to run my own business.

      Why shouldn't software come with a branch for licenses if you're working with sensitive data?

      [-]
      • bradleyankrom 2 hours ago
        Hairdressers!
      • coldtea 4 hours ago
        We're going the other way: now any random vibe coded slop is the norm.
        [-]
        • bad_haircut72 3 hours ago
          Normalize "vibe-plumbing"
          [-]
          • bombcar 2 hours ago
            Both plumbing and wiring are “easier” in a way than programming-as they’ll violently and potentially explosively let you know if you messed up; whereas programming lets you be blissfully unaware until you see your data plastered across the nightly news.
          • lotsofpulp 1 hour ago
            It is, it just usually results in immediate calls to actual plumbers without anyone else finding out. Or it’s hidden behind some new drywall and paint until a different occupant finds out.
  • mtmail 8 hours ago
    You followed the correct reporting instructions.

    https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."

  • gregsadetsky 5 hours ago
    I wrote to security@fiverr.com and they just replied:

    "You’re the second person to flag this issue to us

    Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"

    [-]
    • morpheuskafka 4 hours ago
      I have uploaded the email here: https://gist.github.com/aidanbh/3da7cecb3e2496e5c5110b88f21b...

      (technically, I guess that doesn't prove anything other than it is in my Sent folder? it has a message ID but I guess only the purelymail admin could confirm that)

      In any event, this should never have required an outside reminder. The indexing issue may be something non obvious. But the core decision not to use signed/expiring URLs is nothing less than good old security by obscurity.

      [-]
      • trollbridge 3 hours ago
        I've contacted fiverr before about obvious fraud being conducted through their platform, and they just sent me in endless loops of "open a ticket". "No, e-mail us about it." "No, e-mail us at our security contact about it." Crickets, and then a response saying to please open a ticket.

        Basically, they aren't set up for anyone to actually contact them and expect a resolution.

    • trollbridge 3 hours ago
      Gee, that response doesn't sound defensive at all.
    • Loughla 4 hours ago
      So who has more incentive to lie, fiverr or OP?
      [-]
      • applfanboysbgon 4 hours ago
        Is this even a question? Obviously, the company that has publicly posted people's tax forms on the internet is very trustworthy and we should eagerly believe everything they say.

        I don't think it even comes down to "lying". It's possible that they genuinely believe they didn't receive contact, but given that they are verifiably completely and totally incompetent and have no right to be employed in their current role, they've earned exactly zero benefit of doubt.

        [-]
        • morpheuskafka 4 hours ago
          @janoelze -- that was my thought too, though less so that they wouldn't share a claim of not being notified at all with a third party, but more that those kind of things need to go through legal/comms/etc not whoever runs the security mailbox. if the person running the email box is not the CISO, surely they at least need the CISOs approval to say something beyond a thank you or followup questions? (and if they are the CISO, then they have bigger things to worry about then replying...)
        • janoelze 4 hours ago
          (weird to share any details about this incident to uninvolved parties via email anyway)
  • HeliumHydride 5 hours ago
    It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362
  • wxw 8 hours ago
    Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
  • qingcharles 5 hours ago
    That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
  • janoelze 5 hours ago
    really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
    [-]
    • mpeg 5 hours ago
      lots of admin credentials too, which have probably never been changed
      [-]
      • janoelze 5 hours ago
        admin passwords to dating sites, that's the stuff people get blackmailed with
        [-]
        • qq66 5 hours ago
          How does someone's dating site password end up in Fiverr?
          [-]
          • janoelze 5 hours ago
            it's worse than you think – it's an admin password to the ~whole site~
            [-]
            • I-M-S 2 hours ago
              How does an admin password to the whole site end up on Fiverr?
              [-]
              • csomar 48 minutes ago
                There are lots of passwords there (though one wonder if they were rotated). Basically, the people doing the hiring are sending PDFs with their credentials to the contractors to do the job.
            • xtracto 3 hours ago
              Oh my. I feel for the tech team at fiverr. I'm sure it's nasty in there. Sending virtual hugs.
              [-]
              • bombcar 2 hours ago
                They have a dating site password! They can get real hugs.
            • hungry-hackerth 1 minute ago
              [dead]
  • janoelze 3 hours ago
    it's been 5 hours. even manual action to take down the most sensitive files should have completed about 3 hours ago at most. what is happening.
    [-]
    • tag2103 3 hours ago
      Nothing- they are just hoping this will blow over.
      [-]
      • Barbing 1 hour ago
        Do I have to start emailing the people in the leaked documents with screenshots?
    • ollien 3 hours ago
      I've never been in the position that I've had to deal with this. Is the best you can do in this situation to pull the files and optionally republish them to a robots.txt'd path (with authn/z, too)? I can't imagine you can get it pulled from search engines very quickly...
  • npilk 1 hour ago
    Remember, if you use Google to access any of this “private” information, you’re a hacker and the state of Missouri might try to arrest you!

    https://missouriindependent.com/2021/10/14/missouri-governor...

  • Barbing 1 hour ago
    @dang example query feels incredibly doxxy, and feels bad form to link directly to full copies of people's [stuff] and [personal info] as seen on this page :/

    I know this is all Fiverr's fault for allegedly missing the responsible disclosure but now is this the ideal way for us to discuss, with these particular examples? I ask not to spare Fiverr, but I would be so mad if I were first for the result in OP or my personal info linked directly...

  • johnmlussier 6 hours ago
    Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?

    This is bad.

    [-]
    • morpheuskafka 6 hours ago
      They probably wouldn't act immediately as there's no way for them to enable signing without breaking their client's site. The only cleanup you could do without that would be having google pull that subdomain I guess?

      (Fiverr itself uses Bugcrowd but is private, having to first email their SOC as I did.)

  • 101008 1 hour ago
    There are health stuff too... and they are not even paying attention to this matter

    https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...

  • psygn89 4 hours ago
    I guess they used Fiverr for security
  • figassis 1 hour ago
    From what I’ve seen, this always ends in some small fine/settlement and “no admission of guilt”. This type of protection is the source of these mishaps.
  • ebbi 1 hour ago
    I've been boycotting Fiverr, so I'm glad I'm not caught up in this. And judging by their response to this issue, I'm glad I've been boycotting it.
  • cleaning 2 hours ago
    Wow this is really really bad. Insane this hasn't been fixed yet, media outlets are going to have a fun time with this story
  • impish9208 6 hours ago
    This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
    [-]
    • trollbridge 3 hours ago
      I dunno, page 27 is where it started getting good. I actually have to admit I like this guy's relentless positivity and he actually spent real money to pay someone via Fiverr to typeset it, edit it, etc. for him.
    • mmonaghan 3 hours ago
      after reading it, it's super positive and really great. I wouldn't consider myself the target audience for this, but ill probably work it into my morning practice a little for a couple weeks.
    • onraglanroad 6 hours ago
      I've read worse. Better than Dan Brown!
      [-]
    • yieldcrv 5 hours ago
      I found someone's manuscript, at first I thought it would be scandalous to find it ghost written, but it actually is just annotations and someone proof reading it, the annotations come up in the PDF

      I found the author on Amazon and the book still hasn't been released

      this is sad

    • sergiotapia 5 hours ago
      Link please :pray:
      [-]
  • rapfaria 2 hours ago
    How big of a client is Fiverr? Surely Cloudinary would have alerts for an enterprise client leaking stuff?

    Just insane

  • mraza007 7 hours ago
    Woah that's brutal all the important information is wild in public
  • sergiotapia 5 hours ago
    This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
  • csomar 34 minutes ago
    Given the existing DMCA requests and the fact that Google has become way less aggressive about indexing this stuff, it's clear this has been going on for a while. My guess is they've gutted enough of their internal processes that they literally can't restrict access to these files without breaking their own platform.

    You really can't make this shit up: https://www.linkedin.com/feed/update/urn:li:activity:7445526...

    The real question is: will Fiverr be the first company to truly crash and burn from an "AI-first" approach? Go LLM, go mayhem!

  • smashah 6 hours ago
    They bought and.co and then dropped it. strange company
  • popalchemist 6 hours ago
    Burn it to the ground.
  • BoredPositron 6 hours ago
    Just by scrolling over it that's really rough.
  • Jbird2k 1 hour ago
    Bruh this stuff is still public
  • yieldcrv 5 hours ago
    this is a bad leak, appreciate the attempts at disclosure before this
  • iwontberude 6 hours ago
    Loooool what a mess
    [-]
    • xtracto 4 hours ago
      I just looked at the google search results... Holly cow... it is bad bad bad
  • gagagagaga 1 hour ago
    [dead]
  • fortran77 2 hours ago
    [flagged]
  • walletdrainer 5 hours ago
    > Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII

    This is not how Google works.

    [-]
    • AndroTux 5 hours ago
      It kind of is, though. Google doesn't randomly try to visit every URL on the internet. It follows links. Therefore, for these files to be indexed by Google, they need to be linked to from somewhere.
      [-]
      • Barbing 1 hour ago
        Good thing, otherwise they would have exposed countless photos via Google Photos.

        Today, a photo file might be hosted at:

          photos.fife.usercontent.google.com/pw/[snip]=w[####]-h[####]-s-no-gm?authuser=0
        But it used to be a little closer to:

          ...[google_site].com/[superLongAlphanumeric].jpg
        And no auth required, URL only!
      • xtracto 4 hours ago
        Exactly , that's whyb"non public" github gists work. They are public, but not indexed anywhere "by default "
    • weird-eye-issue 2 hours ago
      It's exactly how it works, pages don't just magically appear in Google's index.

      You need links to pages either from your own website or backlinks from other websites. Alternatively if the page is in your sitemap then Google will typically pick it up or you can manually submit it for indexing. For important pages you would typically want internal links, backlinks, and have it in your sitemap.