Fiverr has left sensitive customer files, including tax documents and personally identifiable information, publicly accessible and searchable on the web, according to a report on news.ycombinator.com.
The vulnerability stems from how the gig-work platform uses Cloudinary, a service for processing images and PDFs. While the service supports signed, expiring URLs, the platform opted to use public URLs for assets in client-worker communications, according to the post.
Users discovered that Google search results are indexing these files. A specific search query, `site:fiverr-res.cloudinary.com form 1040`, reveals hundreds of tax forms.
Some files contain highly sensitive data. User qingcharles noted on the platform, "That's wild. Thousands of SSNs are in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results."
Critical credentials exposed
The exposure extends beyond tax documents. Commenters on the Hacker News thread identified API tokens, penetration test reports, and internal API documentation within the searchable results.
User janoelze stated that the leaked data includes "very easy to find API tokens, penetration test reports, confidential PDFs, [and] internal APIs." The user urged the company to "immediately block all static asset access until this is resolved."
Further reports suggest the leak contains administrative credentials. User mpeg claimed to find "lots of admin credentials too, which have probably never been changed."
One commenter, janoelze, added that the discovery includes "admin passwords to dating sites, that's the stuff people get blackmailed with."
The original poster, morpheuskafka, reported that they attempted to notify Fiverr's security team 40 days ago via security@fiverr.com, but received no response. Because the issue does not qualify for standard CVE processing, the information was released publicly.
The leak may also create legal liabilities for users. The report notes that Fiverr actively buys Google Ads for keywords like "form 1234 filing," even though the resulting work products are not adequately secured, potentially causing preparers to violate the GLBA/FTC Safeguards Rule.
