Tell HN: Fiverr left customer files public and searchable

201 pointsby morpheuskafka4 hours ago19 comments

applfanboysbgon19 minutes ago
Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
- morpheuskafka16 minutes ago
  They may be part of it, but as a publicly traded company, there's got to be a at least a few people there with a fancy pedigree (not that that actually means they are good at their job or care). But if such a test existed, they presumably would have passed it.
  They also have an ISO 27001 certificate (they try to claim a bunch of AWSs certs by proxy on their security page, which is ironic as they say AWS stores most of their data while apparently all uploads are on this).
HeliumHydride3 minutes ago
It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362
qingcharles35 minutes ago
That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
mtmail3 hours ago
You followed the correct reporting instructions.
https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."

tfsh20 minutes ago

Hopefully this can be patched soon.

Their robots file specifically has the code to disallow search engine crawling commented out - https://fiverr-res.cloudinary.com/robots.txt.

---

     See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
     #
     # To ban all spiders from the entire site uncomment the next two lines:
     # User-Agent: \*
     # Disallow: /

janoelze40 minutes ago
really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
- mpeg38 minutes ago
  lots of admin credentials too, which have probably never been changed
  - janoelze29 minutes ago
    admin passwords to dating sites, that's the stuff people get blackmailed with
    qq666 minutes ago
    How does someone's dating site password end up in Fiverr?
    janoelze4 minutes ago
    it's worse than you think – it's an admin password to the ~whole site~
wxw3 hours ago
Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
johnmlussieran hour ago
Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?
This is bad.
- morpheuskafkaan hour ago
  They probably wouldn't act immediately as there's no way for them to enable signing without breaking their client's site. The only cleanup you could do without that would be having google pull that subdomain I guess?
  (Fiverr itself uses Bugcrowd but is private, having to first email their SOC as I did.)
29 minutes ago
undefined
impish9208an hour ago
This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
- yieldcrv3 minutes ago
  I found someone's manuscript, at first I thought it would scandalous to find it ghost written, but it actually is just annotations and someone proof reading it, the annotations come up in the PDF
  I found the author on Amazon and the book still hasn't been released
  this is sad
- sergiotapia10 minutes ago
  Link please :pray:
  - yapfrog2 minutes ago
    https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...
- onraglanroadan hour ago
  I've read worse. Better than Dan Brown!
  - b00ty4breakfast15 minutes ago
    that bar is subterranean, haha
mraza0073 hours ago
Woah that's brutal all the important information is wild in public
sergiotapia18 minutes ago
This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
smashahan hour ago
They bought and.co and then dropped it. strange company
yieldcrv22 minutes ago
this is a bad leak, appreciate the attempts at disclosure before this
popalchemist2 hours ago
Burn it to the ground.
BoredPositron2 hours ago
Just by scrolling over it that's really rough.
3 hours ago
undefined
iwontberudean hour ago
Loooool what a mess
walletdrainer29 minutes ago
> Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII
This is not how Google works.
- AndroTux10 minutes ago
  It kind of is, though. Google doesn't randomly try to visit every URL on the internet. It follows links. Therefore, for these files to be indexed by Google, they need to be linked to from somewhere.