Freelance service platform Fiverr is facing a significant privacy incident after researchers discovered that sensitive customer files are publicly accessible and indexed by Google search.
According to a recent disclosure on Hacker News, an insecure file-hosting configuration has exposed personal identifiable information (PII), including completed tax forms, that were exchanged between freelancers and clients.
The Cloudinary Misconfiguration
The root of the data exposure lies in how Fiverr handles file sharing within its internal messaging system.
The platform relies on a third-party service called Cloudinary to process and host images and PDF documents, including final work products delivered to clients.
While Cloudinary operates similarly to an Amazon S3 digital storage bucket and supports secure, expiring web links, Fiverr reportedly configured the service incorrectly.
Instead of requiring authentication, Fiverr opted to generate fully public URLs for these sensitive attachments. Because these files were left open to the public, search engines like Google were able to crawl and index them.
This suggests that the public file links may have been exposed through unprotected HTML pages somewhere on Fiverr’s network.
The impact of this oversight is severe, as anyone can allegedly use specific Google search queries to surface private documents.
For example, running a site-specific search for “form 1040” on Fiverr’s Cloudinary domain instantly reveals private tax documents containing highly sensitive financial and personal data.
Interestingly, the researcher highlighted a troubling contradiction. Fiverr actively purchases Google Ads for tax preparation services, yet the platform fails to secure the resulting financial work products.
This exposure raises immediate regulatory concerns. By failing to lock down financial documents properly, the platform and its tax preparation freelancers could be in direct violation of the FTC Safeguards Rule and the Gramm-Leach-Bliley Act (GLBA), which mandate strict protections for consumer financial data.
The researcher who discovered the issue claims to have followed standard responsible disclosure protocols. A detailed vulnerability report was sent to Fiverr’s designated security team 40 days before the public release.
After receiving no response or remediation efforts from the company, the researcher opted to publish the findings on Hacker News to warn affected users.
Key Takeaways and Mitigations
Until Fiverr resolves this public exposure, users are at risk of identity theft and financial fraud. Both freelancers and clients should take immediate precautions:
- Halt sensitive transfers: Users should temporarily stop sending sensitive documents, such as tax forms or medical records, through Fiverr’s messaging system.
- Implement signed URLs: Fiverr must urgently update its Cloudinary integration to utilize signed, time-limited URLs for all user-to-user file transfers to ensure files expire after being downloaded.
- Request search de-indexing: The company needs to issue urgent takedown requests to Google to remove the exposed domain directories from public search results.
- Monitor for identity theft: Clients who purchased financial or tax preparation gigs on Fiverr should monitor their credit reports for unauthorized activity.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
