- Convince your users to click on a HTML page they've constructed
- Insert arbitrary HTML in a target website that your users visit
Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk.
Fiverr recently raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release.
There are endless numbers of people providing services on Fiverr website, such as graphic design, language translation, illustration, blogging and a lot more that start from just $5 but can go much higher, depending on complexity, seller rating, and type of work.
According to a security researcher Mohamed Abdelbaset, an Information Security Evangelist from Egypt, told The Hacker News that Fiverr website is vulnerable to CSRF (Cross-site request forgery) vulnerability that allows him to compromise any user account easily.
Cross-Site Request Forgery (CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
Not too difficult, is it?
In this case, an attacker only needs to know the Fiverr profile link of the victim in order to exploit the vulnerability. Using which the attacker will craft and host a exploit webpage on his own server, Mohamed said while demonstrating the vulnerability to THN.
If the victim has already logged into his Fiverr account on the same browser, the CSRF vulnerability will silently replace the victim's Fiverr account email with the attacker's email address. Once done, the attacker can take over the victim's account just by changing the account password from "Password reset" option from the website.
The researcher has also provided a video demonstration as a Proof of Concept. The vulnerability is critical and should be fixed as soon as possible.