Critical flaw in Fiverr.com potentially exposes millions accounts

Pierluigi Paganini August 17, 2014

A CSRF (Cross-site request forgery) vulnerability affects the Fiverr.com website, millions users are potentially at risk.

The Egyptian Information Security Evangelist, Mohamed Abdelbaset, reported to the colleagues of The Hacker News a serious CSRF (Cross-site request forgery) vulnerability on the popular Fiverr website.

The Fiverr.com website is a marketplace where people offers their services for five dollars per job.

Fiverr website is ordinary used by many professionals like blogger and graphic designer, which provides their services starting from just $5, but that depending on complexity could cost much more.

The security researcher explained that the CSRF (Cross-site request forgery) which affects the Fiverr.com website allows hackers to compromise any user account, for this reason millions users are potentially at risk.

Despite the company is successfully growing, its management seems ignoring the security warning raised by the expert for this critical vulnerability and hasn’t fixed the flaw before its public release.

fiverr (1)

In the specific case, the attacker needs to know the Fiverr profile link of the victim to exploit the vulnerability.

“Using which the attacker will craft and host a exploit webpage on his own server”

Mohamed said while demonstrating the vulnerability to THN.

At this point he needs to trick victim into visit the page hosting the exploit, if he has already logged into his Fiverr account on the same browser, the exploitation of CSRF vulnerability will allow attacker to replace the victim’s Fiverr account email with the attacker’s email address.

Once substituted the email associated to a legitimate account, the attacker could impersonate victim and execute the “Password reset” procedure. Below the Video Proof of Concept provided by the security expert, let’s hope the security team at Fiverr will fix it as soon as possible.

 

Pierluigi Paganini

(Security Affairs – Fiverr, hacking)  



you might also like

leave a comment