Critical flaws in the popular Meetup platform were revealed Monday as part of research unleashed at this week’s Black Hat USA 2020. The flaws, which have been patched, enable the full takeover of Meetup “Groups” by threat actors, who can also redirects payments and carryout other malicious actions.
Erez Yalon, the director of security research with Checkmarx, discussed why these critical vulnerabilities are a “holy grail” for attackers, and explained how the bugs are indicative of overall application security trends that will be discussed this week at Black Hat USA 2020. In the case of the Meetup flaws, the researcher identified two. One is a cross site scripting flaw and the second a cross site request forgery – both tied to the platform’s application programming interface (API).
Below is an interview with Yalon conducted ahead of the research along with an accompanying transcript.
Below find a lightly edited transcript of the interview.
Lindsey O’Donnell Welch: This is Lindsey O’Donnell Welch with Threatpost and I am joined today by Erez Yalon, the director of security research with Checkmarx. And we’re talking during Black Hat USA 2020, where Checkmarx is announcing some new security research that they came out with. So Erez thank you so much for joining me today. It’s nice to be talking to you even though this year, it’s actually virtually instead of our in person interviews that we’ve done in the past.
Erez Yalon: Yeah, we usually do face to face but this is not allowed in the new normal. So this is how we do it now. But it’s fine.
LO: There’s always Black Hat 2021. Now, during Black Hat 2020 Checkmarx’s security research team has some new research that you are releasing, and that is specifically focused around Meetup.com. And for those who don’t know, Meetup.com is a popular website that allows users to create an event for people, with similar interests to gather, so you know, book clubs or dog walking clubs, for instance. So Erez you found an array of kind of security issues in the investigations that you did – everything from API security issues to cross-site scripting and cross site request forgery flaws, can you kind of give us a rundown of the research and you know, what these different vulnerabilities were?
EY: Sure. Okay, so basically looking at Meetup.com, we’re not targeting specifically them. We’re in general, looking at the websites that are high in demand and more interesting for everyone, for consumers and us as well. So Meetup was one in a long list. Now, it was part of our research about API security, which we invest a lot in these days. But actually the biggest issues we found were just good old application security issues.
I think that they are probably among the top five famous vulnerabilities that can be found in appsec, application security. One of them is the cross site scripting flaw. And the other one is the cross site request forgery, also known as XSS and CSRF.
When we started playing with Meetup, we found that one of their features or endpoints is not totally sanitizing – and by sanitizing I mean, removing bad inputs – not totally sanitizing the fields that are in the discussion field. Now, every Meetup group has a discussion board under the group. And it’s, as far as I know, enabled by default. We didn’t see any groups without it, I think it makes sense to allow discussions in the group.
And the sanitization process there was not complete. And we managed to bypass it by adding some specific scripts and tags that bypassed the protection of the Meetup website. What it was is what we call stored XSS. Now, instead of a message or a discussion or a post on the page, we could have put some benign message actually in the background on a script. So this by itself is very bad already, because it means that in the context of a web browser, we can do whatever we want, now for every person who visits this discussion board, so it can be stealing information that is part of your web browsing process like cookies and sessions, and things like that. We can deface the website or even do some cryptomining on the web browser. So this, this actually lets us do many, many things. The interesting part was that we thought, okay, if it’s a stored XSS, it means that that the organizers will probably fall into this hole as well as the XSS. So they might run some sort of script on their side, and we know that they have admin capabilities. So the next vulnerability we found was cross-site request forgery, CSRF, which means that essentially when the user is authenticated on the server, it means that if I have hold of the client side, which I do with XSS, I can run a lot of commands in the name of that user, and the user will not even be able to tell that the web browser actually sent these commands.
So just before I talk about specifically what we did here, I want to mention that the combination of XSS and CSRF is the holy grail for us, because when you manage to chain these two together, sometimes there are no limits to what can actually happen. So riding on the XSS will propel specific, malicious script that runs on the organizers’ side, on the organizers’ browser. And then by abusing the CSRF we’ve caused the organizer to give permissions of a co-organizer to the attacker. So suddenly, we’ve taken over the account completely and we have access to a lot of information – we can change the Meetup, we can cancel it, we can create a fake meetup, etc. So this actually was some sort of privilege escalation we created. And because we’ll never be happy and we always want more. To top it all, we found a way also to, to play a bit with the payment details. So with Meetup you have a lot of options of collecting payments, sometimes it’s just $1 or two for refreshments from each one and sometimes it’s a paid session like $100 or $200. And we were able to – like we did with the privilege escalation I described we could actually redirect the payment to our own PayPal address. So our scene, when we imagined it, is an attacker changing all the payments of Meetup for like 24 hours, gathering all the all the money and running away. This is the scenario we imagined. And I think it was interesting – we did not try that – but as a as a theory, we could actually create a wall that would infect each user and each user would infect all the Meetup groups they are part of, etc., going on and on like that. This way we could have also reached private groups and groups that are not listed on Meetup. So all in all, it’s kind of a critical issue, as you can understand.
LO: For sure, I mean, that impact there of being able to redirect all payments to a PayPal account seems like it would definitely be a lucrative one for cyber criminals who are definitely motivated by money. So that could be a serious impact there. In terms of exploitability for these vulnerabilities. How serious are they? What would an attacker potentially need to, you know, carry out an actual attack here?
EY: So the field that was not sanitized well, it was partially sanitized. So I believe that automatic hacking tools or testing tools that check for this would not find it, but we tend to be creative. So when we find something that seems not completely protected, we will find a crack together, so it was more of a manual thing than an automatic thing. But I think that every hacker that would have decided to do that would eventually probably find a way in. And as soon as you find the XSS, and then the next thing you do is to look for the CSRF, because as I said, they go together to reach the higher purpose of really doing some damage there.
LO: Yeah. And what was the process of disclosure here? Because you guys reach out to meet up and I believe they have fixed everything. Is that correct?
EY: Yeah, we never publish anything without getting confirmation from the vendor that they fixed everything. And the reason is that we don’t want to put the users in any unnecessary risk obviously. So we reached out to Meetup. They fixed things, they talked to us, we helped them through the fix cycle. Trying to direct them to the right way to do that. And just recently, they got back to us and informed us that everything they meant to fix is fixed. And that’s it. So now we’re free to discuss that.
LO: Great well, definitely some interesting research there. And now we have Black Hat this week, and what are some of kind of the top threats you expect to be discussed at the conference this year? And, I mean, they might be related to COVID and the ongoing pandemic or election security. I mean, those are kind of the top ones I’m expecting to see, but is there anything from your standpoint, having been observing what’s been going on in the threat landscape over the past few months that you’re really expecting to hear more about?
EY: Yeah, so I think the trends would definitely dictate election security. And maybe also COVID, I’m not sure it’s been enough time to actually create some sort of presentation that will tell us a lot about that. I think it will be interesting to wait a bit into the future and see what happened. Although I’m sure there are some people who can already discuss that. Another trend we can probably expect to see is 5G, all the talks around that, some of them targeting the actual technology, some of them the hype and the scared people around it. Regarding more technical aspects, I think that we saw a big trend of moving towards API security in the past, we will probably see the bigger picture now. Everything that is what we call cloud-native, from containers to serverless to again, API security. And everything that is about this new architecture that is no longer a buzzword, it’s actually what we see every day. And this is where modern architectural software is going. Obviously, it has a lot of pluses and a lot of things that makes everything simpler to us. But security sometimes as we know, drags behind. So this is a good time to close the gap and make sure that security is also moving forward in the same piece of architecture and our cutting edge technology.
LO: And to your point about 5G I certainly think that’ll be a big topic as well, just with everything, starting to be rolled out and a lot of hype there over the past year or so. And I also wanted to ask you, I mean, you know, you’ve been up in charge of the AppSec village in previous Black Hats. What can we expect there for this year, especially with everything being virtual?
EY: Yeah, so AppSec village is part of DEF CON not Black Hat. And we started it last year. It was the first year it was great success we had during DEF CON, which is directly after Black Hat, almost 5,000 visitors in our AppSec village, which is like a mini conference inside of a conference, which is talking mainly about application security, obviously. This year DEF CON moved to or what they call safe mode, which is simply going virtual and we pivoted towards that as well. We’re not sure in the beginning because none of us had the experience of creating and virtual conference before. But we heard the community and everyone demanded to have another AppSec village this year. So we decided we were going to do that, together with my colleagues, friends and co leaders. We managed to get a group of volunteers and got a lot of support from DEF CON themselves. And it’s going to be virtual everything is going to be through Discord with some recorded talk, some live talks, we’re going to actually try to do workshops, virtually, it’s going to be kind of challenging, but I think that people who are coming to DEF CON, are really anxious and really want to get their hands dirty, in a way. And we’re going to have a nice competition of the Capture the Flag around the application security teams, and we’re going to meet a lot of people it’s going to be very, very interesting trying to make this new normal, somehow normal.
LO: Right, yeah, well, I you know, I’m excited to see how that plays out. And I’m sure that the interest is definitely there and there will be a lot of cool things coming out of that, so, Erez, thank you so much for coming on to talk a little bit more about your new research and what to expect over the next week.
EY: My pleasure.
LO: Great, and to all of our listeners. Thanks for listening in. If you liked what you heard or had any thoughts or questions, please comment below the video and be sure to subscribe. Thank you.
Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.