Fiverr.com, a global online marketplace which provides a platform for people to sell their services for five dollars per job, is vulnerable to a critical web application vulnerability that puts its millions of users at risk.
Fiverr raised $30 million in a third round of institutional funding to continue supporting the new version of its marketplace, but the company ignored the advance warning of the critical bug reported responsibly by a vulnerability hunter and fails to patch up their website before his public release.
There are endless numbers of people providing services on Fiverr website, such as graphic design, language translation, illustration, blogging and a lot more that start from just $5 but can go much higher, depending on complexity, seller rating, and type of work.
Cross-Site Request Forgery (CSRF) is a method of attacking a Web site in which an intruder masquerades as a legitimate and trusted user. All the attacker need to do is get the target browser to make a request to your website on their behalf. If they can either: – Convince your users to click on a HTML page they’ve constructed – Insert arbitrary HTML in a target website that your users visit Not too difficult, is it?
In this case, an attacker only needs to know the Fiverr profile link of the victim in order to exploit the vulnerability. Using which the attacker will craft and host a exploit webpage on his own server.
The Attack Scenario:
If the victim has already logged into his Fiverr account on the same browser, the CSRF vulnerability will silently replace the victim’s Fiverr account email with the attacker’s email address. Once done, the attacker can take over the victim’s account just by changing the account password from “Password reset” option from the website.
The bug has been fixed by adding an anti-csrf token all-over sensitive requests!