The Hacker News Logo
Subscribe to Newsletter

Hacking Fiverr.com Accounts — Vulnerability Puts $50 Million Company At Risk

 Fiverr.com Vulnerability Puts its Users' Account At Risk
Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk.

Fiverr recently raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release.

There are endless numbers of people providing services on Fiverr website, such as graphic design, language translation, illustration, blogging and a lot more that start from just $5 but can go much higher, depending on complexity, seller rating, and type of work.

According to a security researcher Mohamed Abdelbaset, an Information Security Evangelist from Egypt, told The Hacker News that Fiverr website is vulnerable to CSRF (Cross-site request forgery) vulnerability that allows him to compromise any user account easily.

Cross-Site Request Forgery (CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either:
  • Convince your users to click on a HTML page they've constructed
  • Insert arbitrary HTML in a target website that your users visit
Not too difficult, is it? 

In this case, an attacker only needs to know the Fiverr profile link of the victim in order to exploit the vulnerability. Using which the attacker will craft and host a exploit webpage on his own server, Mohamed said while demonstrating the vulnerability to THN.

If the victim has already logged into his Fiverr account on the same browser, the CSRF vulnerability will silently replace the victim’s Fiverr account email with the attacker’s email address. Once done, the attacker can take over the victim’s account just by changing the account password from “Password reset” option from the website.

The researcher has also provided a video demonstration as a Proof of Concept. The vulnerability is critical and should be fixed as soon as possible.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.