Meetup security failings left users vulnerable to money and data loss, says Checkmarx report
Series of flaws at community-building events platform left it vulnerable to injection of malicious scripts
The vulnerabilities allowed attackers to inject malicious script in the groups' discussion area. "Once the script was executed by the organizer (by just visiting the Meetup page), it unknowingly took advantage of the CSRF vulnerability and changed our role to “co-organizer,” and by that, granted us access to the group functions (e.g., contact all members, edit group settings, manage money, create events, etc.)," Checkmarx wrote in its report authored by David Sopas.
Meetup was found to be vulnerable to both XSS attacks, in which malicious scripts are injected into otherwise benign and trusted websites, and CSRF attacks, when the attacker causes the victim user to carry out an action unintentionally, which ultimately allowed the white hat hackers from Checkmarx to go from a regular Meetup user, to a co-organizer of a Meetup event, without any authorization or permission.
"Meetup takes reports about its data security very seriously, and appreciates Checkmarx's work in bringing these issues to our attention for investigation and follow up," Meetup was quoted as saying in the Checkmarx report. "There is no evidence of any exploitation of these now-resolved vulnerabilities; there was no impact on Meetup's users' accounts or privacy."
According to Checkmarx, it already sent a full disclosure to Meetup.com, which was acquired by WeWork in 2017, on December 14, 2019, but it wasn't until March 6, 2020 that Meetup.com confirmed they made some fixes. A week later, Checkmarx tests showed that not all vulnerabilities were covered and additional fix suggestions were made. Finally on July 15, Meetup’s Trust & Safety confirmed all reported issues were fixed.
"Vulnerabilities like the ones mentioned above are why the Checkmarx Security Research Team performs investigations," said Checkmarx. "This type of research activity is part of our ongoing efforts to drive the necessary changes in software security practices among organizations worldwide. SAST solutions like CxSAST are essential in helping organizations detect code-borne vulnerabilities, such as the XSS and CSRF issues found with Meetup.com, and providing actionable remediation insights."