Meetup vulnerabilities enabled group takeovers, payment redirections

2020-08-03 13:00

Two high-risk vulnerabilities in Meetup, a popular online service that's used to create groups that host local in-person events, allowed attackers to easily take over any Meetup group, access all group functions and assets, and redirect all Meetup payments/financial transactions to their PayPal account.

What's more, attackers could create a worm to take over all meetings on the site - including private ones - and do all of these things.

Both can be exploited by sending a request that includes a malicious JavaScript to the Meetup API, and in both cases the script will not show in the discussion.

The attacker could also forge a request to change the PayPal account email address stored in Meetup -> Manage Money, effectively directing all payments to the attacker's address.

Meetup has been appraised of the findings and has fixed all the flaws discovered by Checkmarx researchers, including the two flaws that could allow attackers to enumerate Meetup users and retrieve sensitive information about them.

News URL

http://feedproxy.google.com/~r/HelpNetSecurity/~3/KHZWZWnin40/

#payment #takeover #vulnerabilities