frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

Open in hackernews

Tell HN: Fiverr left customer files public and searchable

209•morpheuskafka•3h ago
Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.

Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.

Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.

Example query: site:fiverr-res.cloudinary.com form 1040

In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.

Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.

Comments

mtmail•3h ago
You followed the correct reporting instructions.

https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."

wxw•3h ago
Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
mraza007•2h ago
Woah that's brutal all the important information is wild in public
BoredPositron•1h ago
Just by scrolling over it that's really rough.
popalchemist•1h ago
Burn it to the ground.
smashah•1h ago
They bought and.co and then dropped it. strange company
iwontberude•1h ago
Loooool what a mess
impish9208•1h ago
This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
onraglanroad•1h ago
I've read worse. Better than Dan Brown!
b00ty4breakfast•27m ago
that bar is subterranean, haha
sergiotapia•22m ago
Link please :pray:
yapfrog•14m ago
https://fiverr-res.cloudinary.com/image/upload/f_pdf,q_auto/...

I will say that the title is the best part

yieldcrv•14m ago
I found someone's manuscript, at first I thought it would scandalous to find it ghost written, but it actually is just annotations and someone proof reading it, the annotations come up in the PDF

I found the author on Amazon and the book still hasn't been released

this is sad

johnmlussier•1h ago
Probably not in scope but maybe https://bugcrowd.com/engagements/cloudinary will care?

This is bad.

morpheuskafka•1h ago
They probably wouldn't act immediately as there's no way for them to enable signing without breaking their client's site. The only cleanup you could do without that would be having google pull that subdomain I guess?

(Fiverr itself uses Bugcrowd but is private, having to first email their SOC as I did.)

janoelze•51m ago
really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
mpeg•50m ago
lots of admin credentials too, which have probably never been changed
janoelze•40m ago
admin passwords to dating sites, that's the stuff people get blackmailed with
qq66•17m ago
How does someone's dating site password end up in Fiverr?
janoelze•16m ago
it's worse than you think – it's an admin password to the ~whole site~
qingcharles•46m ago
That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
walletdrainer•41m ago
> Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII

This is not how Google works.

AndroTux•22m ago
It kind of is, though. Google doesn't randomly try to visit every URL on the internet. It follows links. Therefore, for these files to be indexed by Google, they need to be linked to from somewhere.
yieldcrv•33m ago
this is a bad leak, appreciate the attempts at disclosure before this
tfsh•32m ago
Hopefully this can be patched soon.

Their robots file specifically has the code to disallow search engine crawling commented out - https://fiverr-res.cloudinary.com/robots.txt.

---

     See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
     #
     # To ban all spiders from the entire site uncomment the next two lines:
     # User-Agent: \*
     # Disallow: /
applfanboysbgon•31m ago
Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like this on a weekly or almost-daily basis.
morpheuskafka•28m ago
They may be part of it, but as a publicly traded company, there's got to be a at least a few people there with a fancy pedigree (not that that actually means they are good at their job or care). But if such a test existed, they presumably would have passed it.

They also have an ISO 27001 certificate (they try to claim a bunch of AWSs certs by proxy on their security page, which is ironic as they say AWS stores most of their data while apparently all uploads are on this).

sergiotapia•30m ago
This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.
HeliumHydride•15m ago
It seems that someone sent a DMCA complaint months ago relating to this: https://lumendatabase.org/notices/53130362
gregsadetsky•5m ago
I wrote to security@fiverr.com and they just replied:

"You’re the second person to flag this issue to us

Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation"

Claude Code Routines

https://code.claude.com/docs/en/routines
316•matthieu_bl•5h ago•199 comments

Rare concert recordings are landing on the Internet Archive

https://techcrunch.com/2026/04/13/thousands-of-rare-concert-recordings-are-landing-on-the-interne...
458•jrm-veris•9h ago•135 comments

The Orange Pi 6 Plus

https://taoofmac.com/space/reviews/2026/04/11/1900
83•rcarmo•3d ago•48 comments

Trusted access for the next era of cyber defense

https://openai.com/index/scaling-trusted-access-for-cyber-defense/
39•surprisetalk•2h ago•26 comments

5NF and Database Design

https://kb.databasedesignbook.com/posts/5nf/
108•petalmind•6h ago•45 comments

Turn your best AI prompts into one-click tools in Chrome

https://blog.google/products-and-platforms/products/chrome/skills-in-chrome/
69•xnx•5h ago•36 comments

Let's talk space toilets

https://mceglowski.substack.com/p/lets-talk-space-toilets
110•zdw•1d ago•40 comments

I wrote to Flock's privacy contact to opt out of their domestic spying program

https://honeypot.net/2026/04/14/i-wrote-to-flocks-privacy.html
424•speckx•5h ago•177 comments

Fuck the Cloud (2009)

https://ascii.textfiles.com/archives/1717
7•downbad_•54m ago•2 comments

H.R.8250 – To require operating system providers to verify the age of any user

https://www.congress.gov/bill/119th-congress/house-bill/8250/all-info
37•cft•35m ago•11 comments

guide.world: A compendium of travel guides

https://guide.world/
52•firloop•5d ago•9 comments

The dangers of California's legislation to censor 3D printing

https://www.eff.org/deeplinks/2026/04/dangers-californias-legislation-censor-3d-printing
108•salkahfi•23h ago•172 comments

Show HN: Plain – The full-stack Python framework designed for humans and agents

https://github.com/dropseed/plain
44•focom•5h ago•19 comments

Tell HN: Fiverr left customer files public and searchable

209•morpheuskafka•3h ago•30 comments

OpenSSL 4.0.0

https://github.com/openssl/openssl/releases/tag/openssl-4.0.0
164•petecooper•5h ago•49 comments

Show HN: LangAlpha – what if Claude Code was built for Wall Street?

https://github.com/ginlix-ai/langalpha
85•zc2610•8h ago•27 comments

Backblaze has stopped backing up OneDrive and Dropbox folders and maybe others

https://rareese.com/posts/backblaze/
891•rrreese•14h ago•542 comments

Civilization Is Not the Default. Violence Is

https://apropos.substack.com/p/civilization-is-a-public-good
14•paulpauper•31m ago•4 comments

Troubleshooting Email Delivery to Microsoft Users

https://rozumem.xyz/posts/14
17•rozumem•2d ago•4 comments

jj – the CLI for Jujutsu

https://steveklabnik.github.io/jujutsu-tutorial/introduction/what-is-jj-and-why-should-i-care.html
471•tigerlily•12h ago•404 comments

Introspective Diffusion Language Models

https://introspective-diffusion.github.io/
215•zagwdt•14h ago•41 comments

Gas Town: From Clown Show to v1.0

https://steve-yegge.medium.com/gas-town-from-clown-show-to-v1-0-c239d9a407ec
57•martythemaniak•3h ago•72 comments

Carol's Causal Conundrum: a zine intro to causally ordered message delivery

https://decomposition.al/zines/
38•evakhoury•4d ago•3 comments

Responsive images in Hugo using Render Hooks

https://mijndertstuij.nl/posts/hugo-responsive-images-using-render-hooks/
6•mijndert•5d ago•0 comments

DaVinci Resolve – Photo

https://www.blackmagicdesign.com/products/davinciresolve/photo
1033•thebiblelover7•20h ago•260 comments

YouTube now world's largest media company, topping Disney

https://www.hollywoodreporter.com/business/digital/youtube-worlds-largest-media-company-2025-tops...
241•bookofjoe•5d ago•183 comments

A new spam policy for “back button hijacking”

https://developers.google.com/search/blog/2026/04/back-button-hijacking
807•zdw•19h ago•457 comments

Lean proved this program correct; then I found a bug

https://kirancodes.me/posts/log-who-watches-the-watchers.html
375•bumbledraven•22h ago•167 comments

The M×N problem of tool calling and open-source models

https://www.thetypicalset.com/blog/grammar-parser-maintenance-contract
120•remilouf•5d ago•41 comments

Nucleus Nouns

https://ben-mini.com/2026/nucleus-nouns
54•bewal416•4d ago•14 comments