Jump to content

Recommended Posts

Posted (edited)

Recently, I had an unpleasant experience.

I was abruptly logged out across all devices, website, mobile, and app. Shortly after, I received an unexpected email titled “Reset Your Password Request,” which I hadn’t initiated.

This “scam” involves someone using the email linked to your Fiverr account to trigger a password reset request.

After some research, I found that other sellers have faced the same issue, this seller made a video about it: https://www.youtube.com/watch?v=m80ioZkL8So

Here is a thread where multiple users experienced this: https://community.fiverr.com/forums/topic/339448-mfa-requirement-for-password-reset-feature-request/

This raises serious security concerns from my point of view:

  • Have emails associated with Fiverr accounts been exposed? Was there a data breach? I don’t see any other possibility in which external people will know the email associated with Fiverr accounts.
     
  • Why does simply knowing someone’s email allow anyone to trigger a logout? This vulnerability lets someone repeatedly send reset requests, potentially overwhelming users.
     
  • The current 2FA method is not secure enough and outdated



Security Concerns with Current 2FA

The current 2FA options (phone number or email) are outdated. Text messages are not encrypted and can be intercepted. SIM swapping is also common nowadays.

Modern security standards recommend stronger options, like authenticator apps (e.g., Google Authenticator) or security keys, which offer better protection against unauthorized access.

Fiverr accounts hold sensitive information and earnings. The current 2FA is inadequate for this type of data.

What could be done better:

  1. Upgrade 2FA Options: Introduce secure 2FA methods like authenticator apps and security keys
     
  2. Allow users to select the 2FA they want to enable and give the ability to disable the unwanted ones
     
  3. Implement a Settings Lock: Add a lock for critical settings, especially for security options and withdrawal methods. With a setting lock, any change would trigger a waiting period (e.g., one day) before being able to do the change. This prevents unauthorized changes to the account even if someone accesses the account.
     
  4. Emergency support: We are not able to create a ticket to customer support in case we lose access to our accounts as we need to be logged in to create a ticket. There should be a way to reach support for these emergency concerns.

The number of scams has drastically increased in a few months, now there is not one day where I don’t receive a scam/spam in my inbox, there is a need for better account protection.

Edited by giovanni_ux
  • Like 6
  • Up 1
  • Support 1
Posted (edited)
On 11/27/2024 at 9:36 PM, giovanni_ux said:

Emergency support: We are not able to create a ticket to customer support in case we lose access to our accounts as we need to be logged in to create a ticket. There should be a way to reach support for these emergency concerns.

There's the support@fiverr.com email address.

On 11/27/2024 at 9:36 PM, giovanni_ux said:

Have emails associated with Fiverr accounts been exposed? Was there a data breach? I don’t see any other possibility in which external people will know the email associated with Fiverr accounts.

Did you use your Fiverr email address on other sites too, that might have been hacked? If so, maybe they have the email address from there. Or maybe they bought/got an email list from somewhere that had that email address in.

Though I don't see how them just having your email address and sending a password reset request can give them access to your account unless you or they clicked the link that it sends. I assume they won't be able to predict the link it sends. So maybe they somehow had access to your device(s) at the time they sent the password reset. Maybe you could have run a virus/malware scan or still could if you haven't.

edit:

Also, the last 2 password reset emails I got from Fiverr (that was years ago. I don't know if it's different now) had the password reset link starting with http://www.fiverr.com, not https. Isn't that an insecure way of doing it?

Edited by uk1000
  • Like 3
  • Up 2
  • Thanks 1
Posted (edited)
9 hours ago, uk1000 said:

There's the support@fiverr.com email address.

Oh, thank you, I did not know that you could contact them directly via email, that's a good point.
 

9 hours ago, uk1000 said:

Did you use your Fiverr email address on other sites too, that might have been hacked? If so, maybe they have the email address from there. Or maybe they bought/got an email list from somewhere that had that email address in.

Though I don't see how them just having your email address and sending a password reset request can give them access to your account unless you or they clicked the link that it sends. I assume they won't be able to predict the link it sends. So maybe they somehow had access to your device(s) at the time they sent the password reset. Maybe you could have run a virus/malware scan or still could if you haven't.

Yes, it's possible that the email was involved in another website data breach, but that does not answer two key points:

  • How did they know we have a Fiverr account? That’s not something they could learn from other websites' data breaches. Too many sellers have experienced it for it to be a mere coincidence. I also think that it's unlikely that they would try the email manually on every website (to find which one you are signed up for).
     
  • Also, many sellers have experienced this recently. In the comments section of the video I posted, many sellers mentioned the same experience, which makes me think this is coordinated.

 

You're right that having just the email doesn't give them direct access to the account, but it's a starting point for more personalized attacks:

  • Since they know both the email and the Fiverr account, they could, for example, create a Fiverr account to contact us under the guise of a project and extract more information.
     
  • If they manage to find phone numbers associated with emails in other data breaches then it can get worse with SMS intercepting and SIM swapping.

I assume that successful sellers would be targeted as a priority.

This is why I think that a stronger 2FA method is a priority so we can have peace of mind knowing that no one can access without a TOTP or a security key which is now a standard on websites that contain important user data.

 

9 hours ago, uk1000 said:

Also, the last 2 password reset emails I got from Fiverr (that was years ago. I don't know if it's different now) had the password reset link starting with http://www.fiverr.com, not https. Isn't that an insecure way of doing it?

I noticed that too. When a password change is requested, the link sent by Fiverr is HTTP, not HTTPS. I don't understand why, maybe someone from Fiverr could explain it. 😀

 

Edited by giovanni_ux
  • Like 4
  • Up 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...