Researchers say Fiverr left user files open to Google search

A security researcher named Morpheuskafka has found that thousands of private files from the Tel Aviv-based gig-work website Fiverr were left open for anyone to view online. The leaked data allegedly includes very sensitive items like tax forms, photos of driving licences, and work contracts. These documents were not stored on a private, restricted server but were actually indexed and appeared in Google search results.

Fiverr uses a third-party service called Cloudinary to manage and store the images and PDFs that users send to each other. And, instead of using signed or expiring URLs that only authorised users could open, the platform, reportedly, used public URLs.

Since some of these links were placed on public pages, search engines were able to crawl and list them, which is why a simple search could bring up a user’s personally identifiable information (PII). 

Read more at HackRead