Flaws in Meetup App can allow remote hackers to takeover ‘Group,’ steal payments


Critical flaws in the popular Meetup App allowed takeover of Meetup “Groups;” exposed data of nearly 44 Million members to data and payment theft

Security researchers from Checkmarx have disclosed many critical flaws in the popular Meetup App service at Black Hat USA 2020. One of the flaws could allow remote hackers to take over the Meetup “Groups.”

Meetup App is a popular service that allows users having similar interests to connect with each other and organize meets. Such connections are called Meetup Groups. Meetup is very popular among users and has nearly 44 million users who use the App to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings.

Meetup is currently owned by AlleyCorp, an early stage NY-focused venture fund and incubator and is based in New York City, U.S.A.

Checkmarx researchers discovered that the Meetup service has several critical vulnerabilities that could be exploited by remote hackers to hijack any Meetup “group.” The flaws also allowed hackers to remotely access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account.

“Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers disclosed on Monday at Black Hat USA 2020.

Researchers disclosed the issues to Meetup, which has since fixed all the vulnerabilities as of July 15. The flaws were not publicly disclosed by researchers until Monday.  Checkmarx security team discovered “cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities” in the Meetup App which could have exposed data of its 44 million users. Researchers found the cross-site scripting vulnerability on Meetup’s discussion feature, which is activated by default in a Meetup group. The flaw has a CVSS score of 8.7 out of 10, making it high severity. The issue is that Meetup does not properly sanitize the discussion field.

The researchers said that any potential hacker simply needs to post a custom script to the Meetup discussion forum. This causes a JavaScript popup to occur as soon as any user visits the Meetup page. When the user clicks the popup, an attacker can then carry out various malicious functions, such as stealing their web browsing data (sessions and cookies).

The researchers also found a CSRF glitch on the Payments Received  API endpoint of Meetup.  CSRF means that when an attacker is authenticated on the server they also have control over the client. “When you manage to, to chain these two together, and sometimes there are no limits to what can actually happen,” Erez Yalon, the director of security research, Checkmarx says.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments