Meetup Website Has Patched Vulnerability Open To Hackers

August 12, 2020

Written by wukovits

meetup website has patched vulnerability open to hackersRecently, security researchers at Checkmarx discovered a pair of serious vulnerabilities in the popular online meeting website Meetup.

According to the researchers, a hacker could combine cross-site scripting (XSS) with cross-site request forgeries (CSRF) to gain admin privileges on the site.

This would allow them to do anything from changing the details of any user’s events, outright cancelling them, exfiltrating user information, and/or redirecting PayPal payments.

The research team discovered that by making use of these two vulnerabilities, it was possible to inject malicious scripts into posts made in the discussions section of the Meetup site. That is a feature enabled by default on every event inside the framework of the system.

Erez Yalon, the Director of Security Research at Checkmarx had this to say about his team’s discovery:

“When you have these two vulnerabilities, it’s basically the Holy Grail for a hacker. Because what it means is if an organizer page runs the script in the browser, we can actually use their role of administrator to do whatever we want.”

For their part, when Meetup was informed of the pair of vulnerabilities by Checkmarx, they responded quickly and patched the system. As of this moment, neither of the exploits remain functional and there is no evidence that hackers ever made use of them, which definitely counts as a bullet dodged.

Ultimately, the vulnerability was enabled by the fact that it’s possible to add scripts to the discussions page. That is something that could have been prevented if an allow list had been used that specifies exactly what script commands can be used on the page.

Unfortunately, the company used a deny list in this case. A deny list isn’t nearly as effective as a filtering mechanism, because hackers can almost always come up with things a site owner would never consider. They’re always finding ways around any deny list.

In any case, the issue is now resolved, and if you’re a Meetup user, there’s nothing you need to do. Continue making use of the site as you have been.

Used with permission from Article Aggregator

Bayou Tech

We provide solutions for your business. Find out how we can help.

Related Articles

Key Considerations for Effective Cybersecurity Implementation

Consider this: In the realm of cybersecurity, things often get tangled in the web of "you should do it anyway" arguments. Yet, for busy business owners bombarded with daily "must-dos," deciphering the essentials from the fluff can feel like a cyber maze. We aim to...

Unlocking Small Business Success: The Impact of AI in a Digital Era

In the rapidly evolving business landscape, staying competitive necessitates embracing technological advancements. Artificial Intelligence (AI), once perceived as a luxury for larger enterprises, is now accessible to small businesses, offering new opportunities for...