Software development jobs are too accessible. Jobs with access to/control over millions of people's data should require some kind of genuine software engineering certification. It is ridiculous how we've completely normalised leaks like these on a weekly or almost-daily basis.
See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
#
# To ban all spiders from the entire site uncomment the next two lines:
# User-Agent: \*
# Disallow: /
qingcharles 16 minutes ago [-]
That's wild. Thousands of SSNs in there. Also a lot of Fiverr folks selling digital products and all their PDF courses are being returned for free in the search results.
janoelze 21 minutes ago [-]
really bad stuff in the results. very easy to find API tokens, penetration test reports, confidental PDFs, internal APIs. Fiverr needs to immediately block all static asset access until this is resolved. business continuity should not be a concern here.
mpeg 19 minutes ago [-]
lots of admin credentials too, which have probably never been changed
janoelze 10 minutes ago [-]
admin passwords to dating sites, that's the stuff people get blackmailed with
mtmail 3 hours ago [-]
You followed the correct reporting instructions.
https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."
wxw 3 hours ago [-]
Wow, surprised this isn't blowing up more. Leaking form 1040s is egregious, let alone getting them indexed by Google...
gregsadetsky 10 minutes ago [-]
I wrote to Cloudinary for what it's worth. This is brutal.
They probably wouldn't act immediately as there's no way for them to enable signing without breaking their client's site. The only cleanup you could do without that would be having google pull that subdomain I guess?
(Fiverr itself uses Bugcrowd but is private, having to first email their SOC as I did.)
impish9208 54 minutes ago [-]
This is crazy! So many tax and other financial forms out in the open. But the most interesting file I’ve seen so far seems to be a book draft titled “HOOD NIGGA AFFIRMATIONS: A Collection of Affirming Anecdotes for Hood Niggas Everywhere”. I made it to page 27 out of 63.
onraglanroad 46 minutes ago [-]
I've read worse. Better than Dan Brown!
yieldcrv 3 minutes ago [-]
this is a bad leak
mraza007 2 hours ago [-]
Woah that's brutal
all the important information is wild in public
walletdrainer 10 minutes ago [-]
> Moreover, it seems like they may be serving public HTML somewhere that links to these files. As a result, hundreds are in Google search results, many containing PII
This is not how Google works.
smashah 1 hours ago [-]
They bought and.co and then dropped it. strange company
popalchemist 1 hours ago [-]
Burn it to the ground.
BoredPositron 1 hours ago [-]
Just by scrolling over it that's really rough.
3 hours ago [-]
iwontberude 1 hours ago [-]
Loooool what a mess
Rendered at 22:23:24 GMT+0000 (Coordinated Universal Time) with Vercel.
Their robots file specifically has the code to disallow search engine crawling commented out - https://fiverr-res.cloudinary.com/robots.txt.
---
https://www.fiverr.com/.well-known/security.txt only has "Contact: security@fiverr.com" and in their help pages they say "Fiverr operates a Bug Bounty program in collaboration with BugCrowd. If you discover a vulnerability, please reach out to security@fiverr.com to receive information about how to participate in our program."
This is bad.
(Fiverr itself uses Bugcrowd but is private, having to first email their SOC as I did.)
This is not how Google works.