Open Access: How a Simple Fiverr Config Error Exposed 30,000 Private Documents to Google

The prominent gig-economy and freelance marketplace Fiverr has recently been embroiled in a controversy regarding the exfiltration of user data, following revelations by a security researcher that the platform has failed to address a significant exposure. After the researcher publicly disclosed the issue, independent verifications have confirmed that a vast repository of Fiverr’s PDF task files has been indexed by Google Search.

The nature of this exposure is particularly disconcerting as these documents contain sensitive private information shared between service buyers and freelancers. The exfiltrated data primarily consists of finalized work products delivered in PDF format, which frequently encompass proprietary client details. Fiverr utilizes a third-party service, Cloudinary, to facilitate the processing and storage of images and documents sent via its messaging system.

Within Fiverr’s architecture, Cloudinary functions as an object storage solution. While the service inherently supports sophisticated URL signing and temporal expiration to ensure security, Fiverr’s implementation utilizes public URLs. Consequently, these links neither expire nor require authentication, permitting anyone in possession of the URL to view the contents without restriction.

The mechanism through which these URLs became discoverable remains obscure, yet it has resulted in Google’s web crawlers indexing over 30,000 distinct links, the vast majority of which point to sensitive PDF documents. Upon identifying this lapse, the security researcher attempted to notify Fiverr through their designated vulnerability disclosure channel. However, despite the gravity of this information exposure, the inquiry remained unacknowledged for over forty days, and the vulnerability persists unrectified.

As this specific configuration error does not strictly align with the criteria for a CVE (Common Vulnerabilities and Exposures) or CERT designation, no formal vulnerability ID was assigned. This lack of institutional recourse prompted the researcher to publish the findings directly, rendering the exfiltrated documents accessible to the public. Procuring these files is alarmingly trivial; a simple targeted search query directed at fiverr-res.cloudinary.com reveals a myriad of documents, including forms containing American taxpayer information and other highly sensitive personal data.