FIVERR EXPOSED CUSTOMER FILES VIA PUBLIC URLS

Fiverr users discovered that the platform's file handling system exposed customer files through publicly accessible URLs rather than secured, expiring links. The issue centers on Fiverr's use of Cloudinary, a service that processes PDFs and images exchanged between workers and clients on the platform. While Cloudinary supports signed URLs with expiration times—similar to Amazon S3 security practices—Fiverr configured public URLs instead. This configuration allowed anyone with knowledge of a file's URL to access it directly, bypassing authentication. More critically, the files appear to have been discoverable through search indexing, meaning they could potentially be located through public search engines. The exposed materials included work products sent between clients and freelancers during active projects, representing confidential business communications and intellectual property. Given Fiverr's nature as a gig work platform, these files could contain sensitive project details, client information, and contractor work samples. The vulnerability stems from a deliberate architectural choice rather than a misconfiguration. Fiverr selected public URLs for file serving despite having secure alternatives available through Cloudinary's signed URL feature, which would have restricted access to authenticated users for a set time period. This incident highlights a broader tension in cloud storage practices: convenience versus security. Public URLs streamline system design and reduce authentication overhead, but create significant exposure risks when handling sensitive communications. The discovery was reported through Hacker News' community forum, where users shared examples of accessible files. The full scope of exposed data—including how long files remained public and how many users were affected—remains unclear. Fiverr has not yet made a public statement regarding the issue or the steps taken to remediate it.