The Checkmarx Security Research Team recently audited the security of several high-profile websites, including Meetup.com. For those who are not familiar with Meetup.com, it allows users to create an event where people with similar interests gather. Events can be in person, and in light of the ongoing pandemic, many of them have moved to virtual settings. Some Meetup events are free, while others cost visitors various amounts of money to register and participate. As a result of our investigations, which are further detailed in this technical report, we found several “more-common” API security issues like Lack of Resources & Rate Limiting and Excessive Data Exposure, as well as serious cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities on Meetup.com that could put users at risk. For those unfamiliar with XSS or CSRF vulnerabilities or want to refresh their memory, you can find more information here and here, respectively.
- Take over any Meetup group by role escalation
- Access all group functions and assets (members’ details, edit group settings, fake event creation, etc.)
- Redirect all payments to any PayPal account
Summary of Disclosure and EventsAfter discovering and validating the vulnerabilities, we notified Meetup of our findings and worked with them throughout the remediation process until they informed us everything was appropriately patched.
Meetup’s Response"Meetup takes reports about its data security very seriously, and appreciates Checkmarx's work in bringing these issues to our attention for investigation and follow up. There is no evidence of any exploitation of these now-resolved vulnerabilities; there was no impact on Meetup's users' accounts or privacy."
Timeline of Disclosure
- 14-Dec-2019: Sent full disclosure to Meetup.com
- 06-Mar-2020: Meetup.com confirmed they made some fixes
- 13-Mar-2020: Checkmarx tests show that not all vulnerabilities are covered. Additional fix suggestions sent to Meetup.com
- 15-Jul-2020: Meetup’s Trust & Safety confirmed all reported issues are fixed