Fiverr’s Cloudinary Misconfiguration Leaks Tax Forms via Google Search

**TL;DR Fiverr’s freelance marketplace is leaking tax returns and other personal files straight into Google search results. The exposure stems from a Cloudinary storage misconfiguration that was reported to the company 40 days before public disclosure.

Context Security researcher "morpheuskafka" found that Fiverr’s use of the Cloudinary service creates fully public URLs for files exchanged between freelancers and clients. Because these links lack authentication, anyone with the URL can view PDFs, images, or tax forms without logging into Fiverr. Web crawlers have indexed these URLs, making the documents appear in ordinary Google searches.

Key Facts A simple Google query for "site:cloudinary.com Fiverr 1040" returns dozens of IRS Form 1040s displaying social security numbers, addresses, and financial data. The researcher confirmed that sensitive customer files, including tax documents and personal information, are publicly accessible and indexed by Google. The misconfiguration was privately reported to Fiverr’s security team 40 days before the researcher published the findings on Hacker News.

What It Means Exposed tax returns give threat actors ready material for identity theft, fraud, and targeted phishing. Freelancers who use Fiverr for tax preparation services may inadvertently violate the Gramm‑Leach‑Bliley Act and the FTC Safeguards Rule, which require reasonable protection of customer data. The incident also highlights how reliance on third‑party storage without proper access controls can turn a routine file‑share feature into a data leak.

Mitigations Fiverr should immediately switch to signed, time‑limited URLs for all Cloudinary assets and enforce private ACLs on existing buckets. Security teams must enable logging and alerts for any newly created public URLs and conduct a retrospective scan for exposed files. To limit further indexing, submit removal requests via Google Search Console and add appropriate robots.txt directives. Finally, rotate any Cloudinary API keys and review third‑party service configurations against CWE‑200 and MITRE ATT&CK T1530 (Data from Cloud Storage).

Watch for Fiverr’s official response, any Google delisting updates, and potential regulatory scrutiny from the FTC or state attorneys general.