Evite program easily tampered with, researcher says

The researcher known as Surbo found a variety of interesting ways to tamper with those Evite messages we all receive from time to time.

. What's this?

By , Senior Editor

February 02, 2011CSO

We all get them from time to time: An invitation to a party or some other event that arrives in the form of an Evite message. People click on them while using work machines during work time. And in some cases, businesses use them to communicate company events to employees.

Here's the problem: The Evite platform is shockingly weak from a security standpoint.

The researcher known as Surbo demonstrated that fact during a presentation at ShmooCon this past weekend in a talk called "An Evite from Surbo? Probably An Invitation for Trouble."

Evite is arguably one of the top online invitation and social planning websites in use today. It has more than 22 million registered users and over 25,000 invitations are sent each hour, according to the website. It's also free, which means demand is high. Surbo decided to take a look under the hood after a friend sent him an Evite message sometime in 2006.

"I hadn't heard of Evite, so I started to explore the 1.0 version," Surbo said in an interview. "I quickly learned that I had the ability to become the host and make comments. I could also make comments as other people."

Knowing that version 2.0 was in the works, Surbo withheld final judgment until he could see the latest version. Unfortunately, he said, version 2.0 is even worse.

Also see "The seven deadly sins of social networking security"

"With today's 2.0 version I can do what I did before, but now I don't have to know your name or e-mail address," he said. "You just need the ID now. It's a skeleton key into every invite."

He continued: "If I'm invited, I open it and inspect the code, I can search for the ID, see everyone invited and get into their account and I can say this one is coming or that one is not."

At the end of his analysis, Surbo compiled the following laundry list of problems:

  • He can impersonate people
  • He can control what's happening on the invite. "If you make a statement that the sky is blue, I can go in and remove that comment," he said.
  • He can send a command to delete a message from someone else.
  • He can e-mail anyone on the guest list and leave the host out of it. "I can pretend to be the host and say hey, it's a costume party. Come in costume," he said. "You need to use an authenticated cookie, but you don't have to use the host authentication cookie. And the cookies don't expire. I can use them over and over again."
  • He can delete guests. "If I don't get along with someone I can remove them from the party list."
  • He can see user info. "If I have your e-mail I can dig into your API and get all your personal information" -- birth dates and such.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER