Fiverr left sensitive work files publicly accessible and searchable through its Cloudinary integration, potentially exposing confidential client-worker communications and deliverables.
Fiverr users discovered that the platform's file handling system exposed customer files through publicly accessible URLs rather than secured, expiring links.
The issue centers on Fiverr's use of Cloudinary, a service that processes PDFs and images exchanged between workers and clients on the platform. While Cloudinary supports signed URLs with expiration times—similar to Amazon S3 security practices—Fiverr configured public URLs instead.
This configuration allowed anyone with knowledge of a file's URL to access it directly, bypassing authentication. More critically, the files appear to have been discoverable through search indexing, meaning they could potentially be located through public search engines.
The exposed materials included work products sent between clients and freelancers during active projects, representing confidential business communications and intellectual property. Given Fiverr's nature as a gig work platform, these files could contain sensitive project details, client information, and contractor work samples.
The vulnerability stems from a deliberate architectural choice rather than a misconfiguration. Fiverr selected public URLs for file serving despite having secure alternatives available through Cloudinary's signed URL feature, which would have restricted access to authenticated users for a set time period.
This incident highlights a broader tension in cloud storage practices: convenience versus security. Public URLs streamline system design and reduce authentication overhead, but create significant exposure risks when handling sensitive communications.
The discovery was reported through Hacker News' community forum, where users shared examples of accessible files. The full scope of exposed data—including how long files remained public and how many users were affected—remains unclear. Fiverr has not yet made a public statement regarding the issue or the steps taken to remediate it.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.