告诉HN:Fiverr将客户文件设为公开可搜索状态
Fiverr(一个与Upwork竞争的任务平台)使用名为Cloudinary的服务来处理消息中的PDF和图像,包括工人向客户提交的工作产品。除了PDF处理的附加价值外,Cloudinary在这里实际上还充当了S3,直接向网页客户端提供资产。与S3类似,它支持签名/过期的URL。然而,Fiverr选择使用公共URL,而不是签名URL,来进行敏感的客户与工人之间的沟通。
此外,似乎他们可能在某个地方提供了指向这些文件的公共HTML链接。因此,数百个文件出现在Google搜索结果中,其中许多包含个人身份信息(PII)。
示例查询:site:fiverr-res.cloudinary.com form 1040
事实上,Fiverr积极购买与“form 1234 filing”相关的Google广告,尽管他们知道这并不能充分保护生成的工作产品,从而导致准备者违反了GLBA/FTC保护规则。
负责任的披露说明——自从通知指定的漏洞邮箱(security@fiverr.com)以来,已经过去了40天。安全团队没有回复。因此,这一信息被公开,因为它似乎不符合CVE/CERT处理的条件,因为这并不是真正的代码漏洞,而且我不知道还有谁会对此感兴趣。
查看原文
Fiverr (gig work/task platform, competitor to Upwork) uses a service called Cloudinary to process PDF/images in messaging, including work products from the worker to client.<p>Besides the PDF processing value add, Cloudinary effectively acts like S3 here, serving assets directly to the web client. Like S3, it has support for signed/expiring URLs. However, Fiverr opted to use public URLs, not signed ones, for sensitive client-worker communication.<p>Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII.<p>Example query: site:fiverr-res.cloudinary.com form 1040<p>In fact, Fiverr actively buys Google Ads for keywords like "form 1234 filing" despite knowing that it does not adequately secure the resulting work product, causing the preparer to violate the GLBA/FTC Safeguards Rule.<p>Responsible Disclosure Note -- 40 days have passed since this was notified to the designated vulnerability email (security@fiverr.com). The security team did not reply. Therefore, this is being made public as it doesn't seem eligible for CVE/CERT processing as it is not really a code vulnerability, and I don't know anyone else who would care about it.