Fiverr, a prominent freelance marketplace, is embroiled in a privacy controversy following revelations by researchers that personal customer files have been made publicly accessible through Google. The breach, highlighted on Hacker News, stems from a misconfigured file-hosting setup that exposed sensitive data, including tax forms, exchanged between freelancers and clients.
The Cloudinary Configuration Issue
The problem originated from Fiverr’s method of handling file exchanges within its messaging system. Fiverr utilizes Cloudinary, a third-party service, to manage and host images and documents, including completed work submitted to clients. Despite Cloudinary’s capability to create secure, time-limited links, Fiverr reportedly set up the service to generate publicly accessible URLs for sensitive files. This lack of protection allowed search engines like Google to index these files.
It appears that these public links were inadvertently exposed through unsecured HTML pages within Fiverr’s network. This oversight has severe implications, as specific searches on Google can reportedly reveal private documents, such as tax forms, containing essential financial data.
Regulatory and Security Concerns
The situation presents a stark contradiction, as Fiverr invests in Google Ads for tax-related services while failing to secure the sensitive outputs of such services. This lapse raises significant regulatory alarms, potentially breaching the Federal Trade Commission’s Safeguards Rule and the Gramm-Leach-Bliley Act, both of which demand rigorous protection of consumer financial information.
The researcher who uncovered the issue adhered to responsible disclosure practices, notifying Fiverr’s security team 40 days before making the findings public. However, due to the absence of a response or corrective measures from Fiverr, the researcher opted to release the information publicly to alert potentially affected users.
Recommendations and User Precautions
Until Fiverr addresses this security flaw, users remain vulnerable to identity theft and financial fraud. It is recommended that freelancers and clients cease the transmission of sensitive documents via Fiverr’s messaging platform. Additionally, Fiverr should promptly update its Cloudinary integration to use signed URLs that expire after download to safeguard transferred files.
The company must also act swiftly to request the removal of exposed directories from Google’s search index. Clients who have engaged in financial services on Fiverr should vigilantly monitor their credit reports for any unauthorized activity.
Stay updated on cybersecurity developments by following us on Google News, LinkedIn, and X. Reach out to us to feature your stories.
