A popular online social service, Meetup, has fixed several critical flaws in its website. If exploited, the flaws could have enabled attackers to hijack any Meetup “group,” access the group’s member details and even redirect Meetup payments to an attacker-owned PayPal account.
Meetup is a service with a user base of over 35 million users, used to organize online groups with events for people with similar interests. These events are either for free, or participants can register for a fee using PayPal. While events are typically in person, in light of the ongoing pandemic, many events have moved to virtual settings.
“Checkmarx found several ‘more-common’ API security issues like lack of resources and rate-limiting and excessive data exposure, as well as some serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk,” said researchers with Checkmarx, in research disclosed Monday at Black Hat USA 2020.
[Learn more about the critical Meetup flaws – and other AppSec trends and threats researchers expect to see at Black Hat USA 2020 this year – in Threatpost’s exclusive interview with Checkmarx]
Researchers disclosed the issues to Meetup, which has since fixed all the vulnerabilities as of July 15. The flaws were not publicly disclosed by researchers until Monday.
“Meetup takes reports about its data security very seriously, and appreciates Checkmarx’s work in bringing these issues to our attention for investigation and follow up,” according to a Meetup statement.
The first flaw researchers discovered was stored a cross-site scripting vulnerability on Meetup’s discussion feature, which is activated by default in a Meetup group. The flaw has a CVSS score of 8.7 out of 10, making it high severity. The issue is that Meetup does not properly sanitize the discussion field.
“Now, instead of have a message or a discussion or a post on the page, we could have put some benign message actually in the background on a script,” Erez Yalon, the director of security research with Checkmarx, told Threatpost. “So this by itself is very bad already, because it means that in the context of a web browser, we can do whatever we want. Now for every person who visits this discussion board, so it can be stealing information that is part of your web browsing process like cookies and sessions, and things like that. We can deface the website or even do some cryptomining on the web browser.”
The attack was made more severe after researchers also found a CSRF glitch on the Payments Received API endpoint of Meetup. CSRF means that when an attacker is authenticated on the server they also have control over the client.
Researchers were able to chain together the XSS flaw and CSRF glitch, which is the “holy grail” for attackers: “When you manage to, to chain these two together, and sometimes there are no limits to what can actually happen,” said Yalon.
That means that if a user with high privileges (like a meetup group “co-organizer”) clicks on the malicious script, attackers could then escalate their privileges to “co-organizer”, hijack a Meetup group page, and completely manage the group. Since the form to change the PayPal recipient’s email address in Settings / Payments received is vulnerable to CSRF, attackers would be also able to change the PayPal email address of every Meetup user to their own PayPal email address, without the victims noticing.
Researchers also found several other less serious issues in Meetup, including that the website had a lack of resources and rate-limiting and an Excessive Data Exposure issue.
The research was unveiled this week at Black Hat USA 2020, which kicked off on Saturday and will focus largely on new security threats, election security, COVID-19 and remote work, and other themes.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.