Meetup fixes security flaws that could have allowed hackers to take over groups

Researchers at Checkmarx detail "Holy Grail" of two vulnerabilities, now patched.
Written by Danny Palmer, Senior Writer

Security vulnerabilities in popular online-meeting service and events website Meetup could have allowed cyber attackers to gain access to the profiles of millions of members, according to a security company.

Researchers from Chechmarx found it was possible to combine cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on the site to gain administrator privileges, enabling them to perform actions ranging from the annoying – like cancelling or changing events – to the fraudulent, including looking at information about users or redirecting PayPal payments.

Researchers found it was possible to inject malicious script into posts made in the discussion section of the Meetup page – something that's enabled by default on every event.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

However, the script would be hidden to users, but could allow attackers to take advantage by combining it with a CSRF attack – allowing them to carry out unauthorised commands that they can exploit to gain control of groups.

"When you have these two vulnerabilities, it's basically the Holy Grail for a hacker. Because what it means if an organiser page runs the script in the browser, we can actually use their role of administrator to do whatever we want," Erez Yalon, director of security research at Checkmarx, told ZDNet.

On an individual Meetup group level, an attacker could exploit this to take control of the page, view personal information and redirect finances, something that would be frustrating for victims, but not a huge cybersecurity event.

However, researchers also found it was possible to spread the vulnerability with a worm, meaning that if unleashed in the wild, the whole site could become compromised by attackers taking control of groups and diverting funds.

"Even if I just started with several groups, everyone in them becomes an agent to spread the worm," he said. "Then when organisers are infected, they can move the funds to our own malicious PayPal. In a day or two we could infect each and every Meetup group – that would be a massive attack on the platform".

After uncovering the vulnerabilities, researchers disclosed them to Meetup and the company released a security patch that fixed the issue earlier this year. Meetup told Checkmarx: "Meetup takes reports about its data security very seriously, and appreciates Checkmarx's work in bringing these issues to our attention for investigation and follow up." ZDNet has contacted the company for additional comment.

What enabled the vulnerability was the ability to add scripts to the discussion page – and this could have been prevented if an allow list was used. By specifying which commands are acceptable for the page, it means strange code or commands can't be entered.

SEE: Cybersecurity warning: Hackers are targeting your smartphone as way into the company network

Using this approach is preferable to a deny list because an allow list requires listing every potential way commands could be worked around – and attackers will always attempt to find new ways of attempting this, which includes methods that developers might not think of.

"When you're using a deny list you're hoping you can think of all the ways an attacker could use your system – I can promise you that every attacker will find things you didn't think an attacker could do," said Yalon, who argued that there's a key takeaway from the research for other organisations.

"Make sure you're using an allow list when filtering inputs," he concluded.


Editorial standards