Researchers Claim Fiverr User Data Is Exposed in Google Search Results

A recent disclosure on the technology forum Hacker News has revealed a significant privacy lapse at Fiverr, the popular freelance task marketplace.

Security researchers claim that sensitive customer files, including tax documents and personal information, are currently accessible to the public and actively indexed within Google search results.

The data exposure stems from the platform’s insecure handling of file attachments sent between freelancers and their clients.

According to the disclosure by a security researcher using the handle “morpheuskafka,” the root cause lies in how Fiverr utilizes Cloudinary.

Cloudinary is a third-party cloud service used for processing images and PDFs. It functions similarly to Amazon S3 buckets, storing and serving digital assets directly to internet users.

However, Fiverr reportedly failed to implement standard access controls for these hosted files. Key technical failures include:

• Fiverr configured the system to generate completely public URLs for sensitive client-worker communications.
• The platform opted against using secure, signed, or expiring URLs, which are industry-standard protections for private documents.
• Because these links lack authentication checks, anyone with the direct URL can view the files without logging into a Fiverr account.
• Fiverr appears to be serving public HTML pages that link to these unsecured assets, allowing web crawlers to easily discover and index the files.

Privacy Implications and Exposed Data

The scope of the exposed data presents severe privacy risks. The researcher provided a specific Google search query demonstrating that confidential tax documents, such as IRS Form 1040s, are readily visible in search results.

This means highly sensitive Personally Identifiable Information (PII), including social security numbers, financial data, and physical addresses, is exposed to the open internet.

Threat actors frequently scrape search engines for exposed PII to launch identity theft campaigns, financial fraud, and targeted phishing attacks.

Furthermore, the disclosure notes that Fiverr actively runs advertisements for tax preparation services on its platform.

By failing to secure the resulting tax documents, the platform’s negligence could force tax preparers into violating strict compliance frameworks, such as the Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule.

Perhaps most troubling is Fiverr’s lack of response to the initial security warning. The researcher stated that the misconfiguration was responsibly reported to Fiverr’s designated security team 40 days before the public disclosure.

After receiving no reply or acknowledgment, the researcher chose to publish the findings on Hacker News to warn affected users.

Because this issue is an architectural misconfiguration rather than a traditional software code flaw, it is unlikely to receive a standard CVE (Common Vulnerabilities and Exposures) tracking number.

To resolve the data leak, cybersecurity experts note that Fiverr must immediately migrate user files to signed URLs, revoke public access to the Cloudinary storage, and submit automated requests to clear the exposed documents from Google’s search cache. Fiverr has not yet issued an official statement regarding the incident.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Researchers Claim Fiverr User Data Is Exposed in Google Search Results appeared first on Cyber Security News.