Flaws discovered in the Meetup events platform enabled potential hijacks of Meetup “Groups” by threat actors, who could then redirect payments and carry out other malicious actions.
The vulnerabilities, which have now been patched, were discovered at the Black Hat USA 2020 information security event.
Researchers at cybersecurity company Checkmarx discovered the flaws during research into API security issues in high-profile web applications.
The research showed Meetup to be vulnerable to both XSS attacks, where malicious scripts are injected into trusted websites, and CSRF attacks, when an attacker can cause the victim user to carry out an action unintentionally.
Meetup currently has more than 44 million members, with 330,000 active Meetup groups and some 84,000 hosted events each week.
The security flaws supposedly put all 44 million members at risk of losing important and private financial and personal information.
“Once the script was executed by the organiser (by just visiting the Meetup page), it unknowingly took advantage of the CSRF vulnerability and changed our role to “co-organiser,” and by that, granted us access to the group functions,” the Checkmarx report said.
In a statement from the report, Meetup said: “Meetup takes reports about its data security very seriously and appreciates Checkmarx’s work in bringing these issues to our attention for investigation and follow up.
“There is no evidence of any exploitation of these now-resolved vulnerabilities; there was no impact on Meetup’s users’ accounts or privacy.”
- Twitter faces $250 million fine over alleged misuse of data
- Google accused of misleading users on personal data for targeted advertising
- SBRC ethical hacker to provide “offensive security” advice to Scots firms
The Meetup hack shows the vulnerability of communication platforms to such attacks, with their use becoming more popular during the Covid-19 lockdown period.
Successful and attempted hacking attempts have occurred during the lockdown period since February, with varying degrees of success.
Last week, Garmin revealed that it has been the victim of a large ransomware attack and spent several days attempting to rectify the problem before personal information was used maliciously. The organisation has reportedly paid millions of pounds to rectify the problem.