Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Critical flaw in Fiverr.com potentially exposes millions accounts

A CSRF (Cross-site request forgery) vulnerability affects the Fiverr.com website, millions users are potentially at risk. The Egyptian Information Security Evangelist, Mohamed Abdelbaset, reported to the colleagues of The Hacker News a serious CSRF (Cross-site request forgery) vulnerability on the popular Fiverr website. The Fiverr.com website is a marketplace where people offers their services for five dollars per […]

Critical flaw in Fiverr.com potentially exposes millions accounts

A CSRF (Cross-site request forgery) vulnerability affects the Fiverr.com website, millions users are potentially at risk.

The Egyptian Information Security Evangelist, Mohamed Abdelbaset, reported to the colleagues of The Hacker News a serious CSRF (Cross-site request forgery) vulnerability on the popular Fiverr website.

The Fiverr.com website is a marketplace where people offers their services for five dollars per job.

Fiverr website is ordinary used by many professionals like blogger and graphic designer, which provides their services starting from just $5, but that depending on complexity could cost much more.

The security researcher explained that the CSRF (Cross-site request forgery) which affects the Fiverr.com website allows hackers to compromise any user account, for this reason millions users are potentially at risk.

Despite the company is successfully growing, its management seems ignoring the security warning raised by the expert for this critical vulnerability and hasn’t fixed the flaw before its public release.

fiverr (1)

In the specific case, the attacker needs to know the Fiverr profile link of the victim to exploit the vulnerability.

“Using which the attacker will craft and host a exploit webpage on his own server”

Mohamed said while demonstrating the vulnerability to THN.

At this point he needs to trick victim into visit the page hosting the exploit, if he has already logged into his Fiverr account on the same browser, the exploitation of CSRF vulnerability will allow attacker to replace the victim’s Fiverr account email with the attacker’s email address.

Once substituted the email associated to a legitimate account, the attacker could impersonate victim and execute the “Password reset” procedure. Below the Video Proof of Concept provided by the security expert, let’s hope the security team at Fiverr will fix it as soon as possible.

 

Pierluigi Paganini

(Security Affairs – Fiverr, hacking)