Discussion

iwontberude: Loooool what a mess

impish9208: This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.

janoelze: really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.

mpeg: lots of admin credentials too, which have probably never been changed

applfanboysbgon: Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification, and there should be business-cratering fines for something as egregious as completely ignoring security reports. It is ridiculous how we've completely normalised leaks like these on a weekly or almost-daily basis.

morpheuskafka: They may be part of it, but as a publicly traded company, there's got to be a at least a few people there with a fancy pedigree (not that that actually means they are good at their job or care). But if such a test existed, they presumably would have passed it.They also have an ISO 27001 certificate (they try to claim a bunch of AWSs certs by proxy on their security page, which is ironic as they say AWS stores most of their data while apparently all uploads are on this).

sergiotapia: This is really bad, just straight up people's income, SSN and worse just right there in the search results on Brave Search even.

tfsh: Hopefully this can be patched soon.Their robots file specifically has the code to disallow search engine crawling commented out - https://fiverr-res.cloudinary.com/robots.txt.--- See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file # # To ban all spiders from the entire site uncomment the next two lines: # User-Agent: \* # Disallow: /

yieldcrv: this is a bad leak, appreciate the attempts at disclosure before this

sergiotapia: Link please :pray:

walletdrainer: > Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PIIThis is not how Google works.

AndroTux: It kind of is, though. Google doesn't randomly try to visit every URL on the internet. It follows links. Therefore, for these files to be indexed by Google, they need to be linked to from somewhere.