Meetup Website Has Patched Vulnerability Open To Hackers - Olmec Skip to main content

Meetup Website Has Patched Vulnerability Open To Hackers

By August 12, 2020February 28th, 2023Cybersecurity

Recently, security researchers at Checkmarx discovered a pair of serious vulnerabilities in the popular online meeting website Meetup.

According to the researchers, a hacker could combine cross-site scripting (XSS) with cross-site request forgeries (CSRF) to gain admin privileges on the site.

This would allow them to do anything from changing the details of any user’s events, outright cancelling them, exfiltrating user information, and/or redirecting PayPal payments.

The research team discovered that by making use of these two vulnerabilities, it was possible to inject malicious scripts into posts made in the discussions section of the Meetup site. That is a feature enabled by default on every event inside the framework of the system.

Erez Yalon, the Director of Security Research at Checkmarx had this to say about his team’s discovery:

“When you have these two vulnerabilities, it’s basically the Holy Grail for a hacker. Because what it means is if an organizer page runs the script in the browser, we can actually use their role of administrator to do whatever we want.”

For their part, when Meetup was informed of the pair of vulnerabilities by Checkmarx, they responded quickly and patched the system. As of this moment, neither of the exploits remain functional and there is no evidence that hackers ever made use of them, which definitely counts as a bullet dodged.

Ultimately, the vulnerability was enabled by the fact that it’s possible to add scripts to the discussions page. That is something that could have been prevented if an allow list had been used that specifies exactly what script commands can be used on the page.

Unfortunately, the company used a deny list in this case. A deny list isn’t nearly as effective as a filtering mechanism, because hackers can almost always come up with things a site owner would never consider. They’re always finding ways around any deny list.

In any case, the issue is now resolved, and if you’re a Meetup user, there’s nothing you need to do. Continue making use of the site as you have been.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.