π―Fiverr accidentally made sensitive user files public on Google because of a mistake in how they stored these files. This means personal information like tax forms and IDs could be seen by anyone. Experts say users should be careful and check their accounts for any unusual activity.
What Happened
Freelance service platform Fiverr is facing a significant privacy incident after researchers discovered that sensitive customer files are publicly accessible and indexed by Google search. According to a recent disclosure on Hacker News and corroborated by HackRead, an insecure file-hosting configuration has exposed personal identifiable information (PII), including completed tax forms, driver's licenses, and work contracts exchanged between freelancers and clients.
The Cloudinary Misconfiguration
The root of the data exposure lies in how Fiverr handles file sharing within its internal messaging system. The platform relies on a third-party service called Cloudinary to process and host images and PDF documents, including final work products delivered to clients. While Cloudinary supports secure, expiring web links, Fiverr reportedly configured the service incorrectly, opting to generate fully public URLs for sensitive attachments. This oversight allowed search engines like Google to crawl and index these files, making them easily discoverable.
The exposed information reportedly includes not only tax documents but also official identification, private work deliverables, passwords, API keys, and other sensitive data. The researcher who discovered the issue claims to have followed standard responsible disclosure protocols, sending a detailed vulnerability report to Fiverrβs security team 40 days prior to the public release. After receiving no response or remediation efforts from the company, the researcher published the findings to warn affected users.
Regulatory Concerns
Fiverr has denied that a security breach occurred, asserting that users consented to sharing these files for marketplace activities. However, cybersecurity experts argue that user consent for specific transactions does not equate to consent for public exposure. This raises immediate regulatory concerns, as the failure to secure financial documents could put Fiverr and its freelancers in violation of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which mandate strict protections for consumer financial data.
Expert Opinions
Cybersecurity experts emphasize the importance of user awareness regarding the risks associated with sharing sensitive information on platforms like Fiverr. They advise users who shared identification or tax forms on the platform to monitor for identity theft and change credentials promptly. The lack of response from Fiverr to the initial disclosure raises additional concerns about the company's commitment to user privacy and security.
Key Takeaways and Mitigations
Until Fiverr resolves this public exposure, users are at risk of identity theft and financial fraud. Both freelancers and clients should take immediate precautions:
- Halt sensitive transfers: Users should temporarily stop sending sensitive documents, such as tax forms or medical records, through Fiverrβs messaging system.
- Implement signed URLs: Fiverr must urgently update its Cloudinary integration to utilize signed, time-limited URLs for all user-to-user file transfers to ensure files expire after being downloaded.
- Request search de-indexing: The company needs to issue urgent takedown requests to Google to remove the exposed domain directories from public search results.
- Monitor for identity theft: Clients who purchased financial or tax preparation gigs on Fiverr should monitor their credit reports for unauthorized activity and change credentials as necessary.
The ongoing situation highlights the critical need for platforms to prioritize proper configuration of third-party services to protect user data. The lack of response to the initial disclosure raises questions about Fiverr's commitment to user security.
