Recently, security researchers at Checkmarx discovered a pair of serious vulnerabilities in the popular online meeting website Meetup.
According to the researchers, a hacker could combine cross-site scripting (XSS) with cross-site request forgeries (CSRF) to gain admin privileges on the site.
This would allow them to do anything from changing the details of any user's events, outright cancelling them, exfiltrating user information, and/or redirecting PayPal payments.
The research team discovered that by making use of these two vulnerabilities, it was possible to inject malicious scripts into posts made in the discussions section of the Meetup site. That is a feature enabled by default on every event inside the framework of the system.
Erez Yalon, the Director of Security Research at Checkmarx had this to say about his team's discovery:
"When you have these two vulnerabilities, it's basically the Holy Grail for a hacker. Because what it means is if an organizer page runs the script in the browser, we can actually use their role of administrator to do whatever we want."
For their part, when Meetup was informed of the pair of vulnerabilities by Checkmarx, they responded quickly and patched the system. As of this moment, neither of the exploits remain functional and there is no evidence that hackers ever made use of them, which definitely counts as a bullet dodged.
Ultimately, the vulnerability was enabled by the fact that it's possible to add scripts to the discussions page. That is something that could have been prevented if an allow list had been used that specifies exactly what script commands can be used on the page.
Unfortunately, the company used a deny list in this case. A deny list isn't nearly as effective as a filtering mechanism, because hackers can almost always come up with things a site owner would never consider. They're always finding ways around any deny list.
In any case, the issue is now resolved, and if you're a Meetup user, there's nothing you need to do. Continue making use of the site as you have been.
Used with permission from Article Aggregator