Numerous vulnerabilities affected Meetup.com event service. These vulnerabilities, if exploited, could impact users’ privacy. An adversary could even takeover groups by exploiting the bugs.
Vulnerabilities In Meetup
Researchers from security firm Checkmarx have disclosed numerous vulnerabilities affecting event service Meetup.com. Sharing the details in a report, they explained that they found numerous API issues that affected users’ security.
Meetup.com is an online event creation site allowing users to connect, gather, and arrange meetups. Given the global situation due to COVID-19 pandemic, security bugs in such a platform pose a significant threat.
An attacker, upon exploiting the bugs, could gain elevated access to any Meetup group, access details of the group, events, and members’ data, or could even conduct payment frauds.
Specifically, they found a cross-site scripting (XSS) attack that allowed an attacker to execute any malicious codes on the users’ browsers. Besides, they also found a CSRF flaw. So, exploiting the two bugs together could enable an adversary to gain elevated privileges without authorization.
Consequently, they could also redirect payments to any other PayPal account, leading to fraud.
The researchers have demonstrated the attack in the following video. Whereas, they have also shared technical details of the exploits in a detailed report.
Patches Released
Checkmarx reported the vulnerabilities to Meetup.com in December 2019. Though, Meetup initially confirmed some fixes in March 2020. Yet, the researchers could establish that some bugs remained unfixed. Hence, following the additional suggestions from the researchers, Meetup worked again to deploy thorough fixes for the vulnerabilities.
Hence, for now, these issues are addressed and the Meetup users may continue to use the service without worries.
Also, Meetup has assured of no exploitation of the bugs.
Meetup takes reports about its data security very seriously, and appreciates Checkmarx’s work in bringing these issues to our attention for investigation and follow up. There is no evidence of any exploitation of these now-resolved vulnerabilities; there was no impact on Meetup’s users’ accounts or privacy.
Let us know your thoughts in the comments.