Critical flaws in the popular Meetup App allowed takeover of Meetup “Groups;” exposed data of nearly 44 Million members to data and payment theft
Security researchers from Checkmarx have disclosed many critical flaws in the popular Meetup App service at Black Hat USA 2020. One of the flaws could allow remote hackers to take over the Meetup “Groups.”
Meetup App is a popular service that allows users having similar interests to connect with each other and organize meets. Such connections are called Meetup Groups. Meetup is very popular among users and has nearly 44 million users who use the App to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings.
Meetup is currently owned by AlleyCorp, an early stage NY-focused venture fund and incubator and is based in New York City, U.S.A.
Checkmarx researchers discovered that the Meetup service has several critical vulnerabilities that could be exploited by remote hackers to hijack any Meetup “group.” The flaws also allowed hackers to remotely access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account.
“Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers disclosed on Monday at Black Hat USA 2020.
Researchers disclosed the issues to Meetup, which has since fixed all the vulnerabilities as of July 15. The flaws were not publicly disclosed by researchers until Monday. Checkmarx security team discovered “cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities” in the Meetup App which could have exposed data of its 44 million users. Researchers found the cross-site scripting vulnerability on Meetup’s discussion feature, which is activated by default in a Meetup group. The flaw has a CVSS score of 8.7 out of 10, making it high severity. The issue is that Meetup does not properly sanitize the discussion field.
The researchers also found a CSRF glitch on the Payments Received API endpoint of Meetup. CSRF means that when an attacker is authenticated on the server they also have control over the client. “When you manage to, to chain these two together, and sometimes there are no limits to what can actually happen,” Erez Yalon, the director of security research, Checkmarx says.