.png)
11 months ago
57 BOOK THIS SPACE FOR AD
ARTICLE AD
Fiverr is an online marketplace that connects freelancers with clients who need various digital services. It was founded in 2010 and has since grown into one of the largest platforms for freelance work. At the time of this article (8th of June, 2023), it is valued at 1.05 billion USD.
It proudly advertises with some of the biggest companies around the world being their “trusted” customers, such as Google, Meta, PayPal and Netflix.
We have been using Fiverr for quiet some time now, ordering various services, called gigs, from various sellers. We recently discovered a bug on the platform that is indirectly security-relevant and has the ability to cause financial damage. This bug is causing emails being sent out asking the client to pay for the service even though the amount is not due (“Fiverr Phishing Email”)
Over the course of multiple months, we have reached out to Fiverr multiple times via support tickets and their official Bug Bounty program on Bugcrowd. The result was that they accepted the issue as a “glitch” and tried to pressurize us not to publish any information on this publicly, whilst refusing to fix it and honor the comprehensive reports we sent on this.
4th of April, 2023: first Fiverr Phishing Email received.4th of April, 2023: reached out to Fiverr with the first support ticket6th of April, 2023: +1 Fiverr Phishing Email18th of April, 2023: alot of messages back-and-forth and refusals on Fiverr support later: invitation to Bugcrowd program received25th of April, 2023: bug report submitted to Fiverr security team via Bugcrowd30th of April, 2023: final decline by Fiverr security team as not a security issue13th of May, 2023: Fiverr support closed ticket and accepted the bug as a “system glitch” with ask to reach out if this occurs again.27th of May, 2023: +1 Fiverr Phishing Email28th of May, 2023: issue re-occured and therefore opened a new Fiverr Support ticket29th of May, 2023: last answer from Fiverr with pressurizing not to publish anything, threatening us with legal actions and redirection back to Bugcrowd. (+1 Fiverr Phishing Email)1st of June, 2023: final reach out to Fiverr support asking if they are going to fix the issue eventually. They never replied.Once a delivery was made by a seller, you as a customer get an 8 day period during which you can review the delivery and decide whether you approve it, or if something is still missing.
However, we have received emails from Fiverr after 4 days and less with the following content:
As the customer gets forced into taking action within the same day, wrongful actions taken by the customer could be an outcome, leading to an incomplete delivery.
However if the order indeed gets wrongfully closed before, the customer can then no longer get the services provided by the vendor and will have an unfinished, broken, unusable output, that leads to much greater further costs aswell as scheduling troubles.
Effectively, potential financial damage is possible.
The random timing of the final chance emails contradicts with the 8-day review period and creates an inconsistency. This inconsistency can lead to confusion and a lack of trust in the platform’s processes.
Since there is no fix for this issue so far, we highly recommend every customer of Fiverr to be aware of this and closely review every single email coming from Fiverr in order to avoid potential issues.
Bengali (Bangladesh) · 
English (United States) ·