Tell HN: Fiverr left customer files public and searchable

102•morpheuskafka•2h ago

Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.

Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.

Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.

Example query: site:fiverr-res.cloudinary.com form 1040

In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.

Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.

Comments

mtmail•2h ago

You followed the correct reporting instructions.

https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."

wxw•2h ago

Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...

mraza007•1h ago

Woah that's brutal all the important information is wild in public

BoredPositron•40m ago

Just by scrolling over it that's really rough.

popalchemist•32m ago

Burn it to the ground.

smashah•24m ago

They bought and.co and then dropped it. strange company

iwontberude•19m ago

Loooool what a mess

impish9208•9m ago

This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.

onraglanroad•1m ago

I've read worse. Better than Dan Brown!

Pope Leo XIV covered up cases of child abuse in Peru and Chicago

Zelensky: Ukraine's defense industry can produce FPV drones annually

Comparison of Payment Methods

Terminator: Code You See Onscreen [video]

Data Discovery – plain-English to discovering and acquiring data using AI

Patches for Linux 7.1 May Have Negative Impact on 32-Bit Systems

How to diagnose RAG failures from traces

Did games really get more costly to make?

Stack Overflow moderator publicly leaks private flagger information

Are ClickHouse JOINs Slow? A 2026 PR-by-PR Analysis

Sandyaa: Recursive-LLM source code auditor that writes exploitable PoCs

How Not to 'Pilet' a Kickstarter

Michael O. Rabin has passed away

Connect iMessage to your Claude Code assistant

New (Twin) Dad Advice

Show HN: Turned a viral DevOps debugging tweet into a playable incident SIM

Anthropic Redesigns Claude Code Desktop

Show HN: Start Using Claude Managed Agents Today – Posse

I Went to China to See Its Progress on A.I. We Can't Beat It

Show HN: Would you score a podcast debate?

California moves forward with its 'Stop Nick Shirley Act'

Agent Skill for Jj Jujutsu VCS

Android IRCx

Lisp is Not an Acceptable Lisp (2006)

TN's Charlie Kirk Act bans student walkouts, protects conservative speakers

The Timeless Way of Building

Cozy landing page I liked

Tech History: Looms taught us to store, share, and "run" logic

Amazon to acquire Globalstar in $11.6B satellite bet

How Poor Am I?