Fiverr faces scrutiny over exposed user files

According to HackRead, a security researcher discovered that thousands of files from the gig-work website Fiverr were accessible online due to alleged improper storage by a third-party service. The exposed data reportedly includes sensitive documents such as tax forms, driver's licenses, and work contracts.

The data exposure occurred because Fiverr utilized Cloudinary for image and PDF storage, employing public URLs instead of secure, expiring links. These public URLs allowed search engines like Google to index the files, making them easily discoverable. The exposed information included official identification, private work deliverables, passwords, API keys, and tax records. A researcher notified Fiverr about the exposed files 40 days prior to public disclosure, but received no response.

Fiverr has denied a security breach, asserting that users consented to sharing these files for marketplace activities. However, cybersecurity experts disagree, emphasizing that user consent for specific transactions does not equate to consent for public exposure. Cybersecurity experts advise users who shared identification or tax forms on the platform to monitor for identity theft and change credentials.

Source: HackRead