Fiverr Allegedly Leaks User Information to Google Indexing, Researchers Say
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Freelance service platform Fiverr is facing a significant privacy incident after researchers discovered that sensitive customer files are publicly accessible and indexed by Google search<\/a>. <\/p>\n According to a recent disclosure on Hacker News, an insecure file-hosting configuration has exposed personal identifiable information (PII), including completed tax forms, that were exchanged between freelancers and clients.<\/p>\n The root of the data exposure lies in how Fiverr handles file sharing within its internal messaging system. <\/p>\n The platform relies on a third-party service called Cloudinary to process and host images and PDF documents, including final work products delivered to clients.<\/p>\n While Cloudinary operates similarly to an Amazon S3 digital storage bucket<\/a> and supports secure, expiring web links, Fiverr reportedly configured the service incorrectly. <\/p>\n Instead of requiring authentication, Fiverr opted to generate fully public URLs for these sensitive attachments. Because these files were left open to the public, search engines like Google were able to crawl and index them. <\/p>\n This suggests that the public file links may have been exposed through unprotected HTML pages somewhere on Fiverr\u2019s network.<\/p>\n The impact of this oversight is severe, as anyone can allegedly use specific Google search queries to surface private documents. <\/p>\n For example, running a site-specific search for \u201cform 1040\u201d on Fiverr\u2019s Cloudinary domain instantly reveals private tax documents <\/a>containing highly sensitive financial and personal data.<\/p>\n Interestingly, the researcher highlighted a troubling contradiction. Fiverr actively purchases Google Ads for tax preparation services, yet the platform fails to secure the resulting financial work products. <\/p>\n This exposure raises immediate regulatory concerns. By failing to lock down financial documents properly, the platform and its tax preparation freelancers could be in direct violation of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which mandate strict protections for consumer financial data.<\/p>\n The researcher who discovered the issue claims<\/a> to have followed standard responsible disclosure protocols. A detailed vulnerability report was sent to Fiverr\u2019s designated security team 40 days before the public release. <\/p>\n After receiving no response or remediation efforts from the company, the researcher opted to publish the findings on Hacker News to warn affected users.<\/p>\n Until Fiverr resolves this public exposure, users are at risk of identity theft and financial fraud<\/a>. Both freelancers and clients should take immediate precautions:<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Fiverr Allegedly Leaks User Information to Google Indexing, Researchers Say<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nThe Cloudinary Misconfiguration<\/strong><\/h2>\n
Key Takeaways and Mitigations<\/strong><\/h2>\n
\n