| ▲ | gregsadetsky 2 days ago |
| I wrote to security@fiverr.com and they just replied: "You’re the second person to flag this issue to us Please note that our records show no contact with Fiverr security regarding this matter ~40 days ago unlike the poster claims. We are currently working to resolve the situation" |
|
| ▲ | morpheuskafka 2 days ago | parent | next [-] |
| I have uploaded the email here: https://gist.github.com/aidanbh/3da7cecb3e2496e5c5110b88f21b... (technically, I guess that doesn't prove anything other than it is in my Sent folder? it has a message ID but I guess only the purelymail admin could confirm that) In any event, this should never have required an outside reminder. The indexing issue may be something non obvious. But the core decision not to use signed/expiring URLs is nothing less than good old security by obscurity. |
| |
| ▲ | trollbridge 2 days ago | parent | next [-] | | I've contacted fiverr before about obvious fraud being conducted through their platform, and they just sent me in endless loops of "open a ticket". "No, e-mail us about it." "No, e-mail us at our security contact about it." Crickets, and then a response saying to please open a ticket. Basically, they aren't set up for anyone to actually contact them and expect a resolution. | | |
| ▲ | TZubiri 2 days ago | parent [-] | | oh I got that too, Sent an email, "Open a ticket" . Then I see in the support page that the email opened a ticket and it was marked as solved. For sure their internal metrics are all green and solved tickets are on the rise. |
| |
| ▲ | eudamoniac 2 days ago | parent | prev [-] | | I wouldn't be surprised if their email blocks all unusual TLDs like your .dev. | | |
|
|
| ▲ | trollbridge 2 days ago | parent | prev | next [-] |
| Gee, that response doesn't sound defensive at all. |
|
| ▲ | Loughla 2 days ago | parent | prev [-] |
| So who has more incentive to lie, fiverr or OP? |
| |
| ▲ | applfanboysbgon 2 days ago | parent [-] | | Is this even a question? Obviously, the company that has publicly posted people's tax forms on the internet is very trustworthy and we should eagerly believe everything they say. I don't think it even comes down to "lying". It's possible that they genuinely believe they didn't receive contact, but given that they are verifiably completely and totally incompetent and have no right to be employed in their current role, they've earned exactly zero benefit of doubt. | | |
| ▲ | morpheuskafka 2 days ago | parent | next [-] | | @janoelze -- that was my thought too, though less so that they wouldn't share a claim of not being notified at all with a third party, but more that those kind of things need to go through legal/comms/etc not whoever runs the security mailbox. if the person running the email box is not the CISO, surely they at least need the CISOs approval to say something beyond a thank you or followup questions? (and if they are the CISO, then they have bigger things to worry about then replying...) | |
| ▲ | janoelze 2 days ago | parent | prev | next [-] | | (weird to share any details about this incident to uninvolved parties via email anyway) | |
| ▲ | zelphirkalt 2 days ago | parent | prev [-] | | Exactly, it doesn't have to be about them lying. It could simply be, that they let go or lost one of their engineers and that person knew why to do what and the next one didn't, accidentally exposing stuff. |
|
|
