An independent Security researcher Mohamed Abdelbaset, from Egypt discovered a critical CSRF Vulnerability in the Fiverr.com which allows a attacker to hack any user account available on the Fiverr.
Fiverr is a global online marketplace offering tasks and services, beginning at a cost of $5 per job performed, from which it gets its name. The site is primarily used by freelancers who use Fiverr to offer a variety of different services, and by customers who are interested in buying those services.
What is CSRF?
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
Abdelbaset Showed the proof of concept in a video which is given below:
- Attacker sends a link to the exploit page(webpage specially designed by the attacker).
- When the Victim clicks the link his current email associated with the fiverr.com gets replaced with the email Attacker coded in his exploit page.
- Attacker gains full access to the victim’s Account.
Fiverr which is very popular with freelancers, had recently raised $30 million in a Series C round of funding to continue supporting the new version of its marketplace.
The Company however seems to be less worried about security from cyber threats and has not taken any steps to fix the vulnerability when reported by the researcher. As of now Fiverr is vulnerable to the CSRF vulnerability, now however with the vulnerability being placed in public domain, we as well as Fiverr users can expect a quick patch/fix for the mentioned vulnerability.