Tell HN: Fiverr left customer files public and searchable

Extremely bad stuff here. Can't believe it's been 7 hours now and you can still pull up people's complete prepared tax returns right from a Google search. This should be a business-ending breach of trust and good practices, but I worry there's probably a lack of regulatory might or will to make anything happen.

I am a freelancer on Fiverr, this is VERY concerning. The amount of PII that I have sent over Fiverr, after sending NDA's is potentially all out in the public. I hope there will be accountability for this. IMO Fiverr has had terrible management for years! They simply do not care about their freelancers (and apparently also not about their customers).

Wow, the other comments weren't exaggerating. This is really bad. If my tax returns or other data were part of this, I might consider legal action.

I wonder if somewhere like Wired/Ars Technica/404media might pick this up?

Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.

You followed the correct reporting instructions.

https://www.fiverr.com/.well-known/security.txt only has "Contact: [email protected]" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to [email protected] to receive information about how to participate in our program."

I wrote to [email protected] and they just replied:

"You’re the second person to flag this issue to us

Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"

It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362

Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...

Remember, if you use Google to access any of this “private” information, you’re a hacker and the state of Missouri might try to arrest you!

https://missouriindependent.com/2021/10/14/missouri-governor...

That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.

really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.

I was scammed on Fiverr myself, so I may be biased, but this feels consistent with the platform incentives I saw firsthand. The dispute process did not seem designed to deal well with coordinated abuse, and weak controls around sensitive files would point to the same broader issue: user safety and data handling do not appear to be high priorities.

@dang example query feels incredibly doxxy, and feels bad form to link directly to full copies of people's [stuff] and [personal info] as seen on this page :/

I know this is all Fiverr's fault for allegedly missing the responsible disclosure but now is this the ideal way for us to discuss, with these particular examples? I ask not to spare Fiverr, but I would be so mad if I were first for the result in OP or my personal info linked directly...

it's been 5 hours. even manual action to take down the most sensitive files should have completed about 3 hours ago at most. what is happening.

There are health stuff too... and they are not even paying attention to this matter

https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...

In spite of how the pollies sell it, regulation is the friend of anyone earning less than one million dollars per year. Regulation would fix this. Get on it.

The files are deleted now, that was fun while it lasted!

Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?

This is bad.

Wow this is really really bad. Insane this hasn't been fixed yet, media outlets are going to have a fun time with this story

I've been boycotting Fiverr, so I'm glad I'm not caught up in this. And judging by their response to this issue, I'm glad I've been boycotting it.

It's been 10 hours and all the links in this comment section still work...

From what I’ve seen, this always ends in some small fine/settlement and “no admission of guilt”. This type of protection is the source of these mishaps.

I guess they used Fiverr for security

I tried posting a warning to /r/fiverr but the admins removed the post. And the files are STILL public...how in the world is "sitting it out" their course of action?

Edit: I'm beginning to wonder if they might be locked out of their own site at this point. How hard could it be to just shut down the asset server until they get it sorted?

Looks like the cloudinary links are returning 404 now

Files are now returning 404s as of right now, 0900 UTC 4/15.

Would be interesting if someone with an account can check if they are visible to intended users or not, and if so, if their mitigation is robust (signed URLs?).

This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.

I don't really see what the issue is here? Someone with access to the URL (either the freelancer or the client) leaked it to Google, Google crawled it. How is this Fiverr's fault? I mean, okay, they could sign URLs, but it's not like they left a folder with directory listing on. Someone with access to the URLs, not them, willingly made the URLs public.

How big of a client is Fiverr? Surely Cloudinary would have alerts for an enterprise client leaking stuff?

Just insane

Woah that's brutal all the important information is wild in public

This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.

have you contacted the ftc if their regulation is being violated?

this is a bad leak, appreciate the attempts at disclosure before this

They bought and.co and then dropped it. strange company

Burn it to the ground.

Just by scrolling over it that's really rough.

Loooool what a mess

Given the existing DMCA requests and the fact that Google has become way less aggressive about indexing this stuff, it's clear this has been going on for a while. My guess is they've gutted enough of their internal processes that they literally can't restrict access to these files without breaking their own platform.

You really can't make this shit up: https://www.linkedin.com/feed/update/urn:li:activity:7445526...

The real question is: will Fiverr be the first company to truly crash and burn from an "AI-first" approach? Go LLM, go mayhem!

Bruh this stuff is still public

[dead]

[dead]

[dead]

[dead]

[flagged]

I don't get why disclosing is considered acceptable, it seems like racketeering to me, "pay up or else I'll make this hypothetical issue an actual issue for you"

When I reported an issue and gotten no response, I sat on it for 6 years, reported it again and they took the whole site down without reaching out to me, never quite got it, but if people are doing this, it makes sense not to acknowledge any report and just play deaf.

> Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII

This is not how Google works.