Thought Leadership
A misconfigured Cloudinary instance is leaking private user documents from the freelance platform, which are being indexed by Google. The researcher who discovered the issue has been waiting for a response from the company for over 40 days.
Anyone entering the right search terms on Google can currently find sensitive Fiverr user documents in plain text: completed tax returns, ID cards, invoices, API credentials and passwords. The culprit is a misconfigured instance of the cloud service Cloudinary, which the gig platform uses to exchange files between clients and freelancers.
The problem was uncovered by an anonymous security researcher posting under the alias morpheuskafka on Hacker News. According to the researcher, Fiverr uses Cloudinary similarly to an S3 storage service, delivering files directly to web browsers. The critical mistake: instead of using signed, expiring URLs, Fiverr apparently opted for public links that can easily be crawled and indexed by search engines.
What is affected
The scale of the leak is significant. Cybernews confirmed that search results from affected servers do indeed expose tax returns, ID documents, invoices and other personally identifiable information. Alongside private documents, deliverables from freelancers also surfaced, ranging from marketing materials and pitch decks to academic theses and penetration test reports. Ironically, among the leaked files is Fiverr’s own ISO 27001 certificate for information security excellence, which expired four months ago.
Security researcher Aras Nazarovas from Cybernews is unambiguous in his assessment: this constitutes a serious security failure. All files exchanged between buyers and sellers, including ID documents, contracts, passwords and API keys, are potentially publicly accessible. While external attackers cannot simply list all affected files without an account API key, anyone who knows what to search for will find results on Google.
Responsible disclosure ignored
Particularly troubling: the researcher claims to have notified Fiverr of the vulnerability more than 40 days ago, via email to the official security address security@fiverr.com. No reply was ever received. Since the issue is technically not a classic code vulnerability, the researcher saw no way to escalate it through CVE or CERT processes and therefore decided to go public.
Nazarovas also points out that Fiverr itself actively runs Google Ads targeting tax-related keywords, directing users to its platform. Without adequate security measures in place, the company may be in violation of the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule, both of which require tax preparers to protect client financial data.
What affected users should do now
Anyone who has ever shared credentials, API keys or other sensitive information via Fiverr messages should rotate them immediately. Nazarovas also recommends staying alert for signs of identity fraud or phishing attempts.
The researcher is calling on Fiverr to immediately implement proper access controls for private files, remove affected content from search engine indexes and notify impacted users. At the time the original report was published, the data remained freely accessible. Fiverr has so far not commented.
