Evite program easily tampered with, researcher says

We all get them from time to time: An invitation to a party or some other event that arrives in the form of an Evite message. People click on them while using work machines during work time. And in some cases, businesses use them to communicate company events to employees.

Here’s the problem: The Evite platform is shockingly weak from a security standpoint.

The researcher known as Surbo demonstrated that fact during a presentation at ShmooCon this past weekend in a talk called “An Evite from Surbo? Probably An Invitation for Trouble.”

Evite is arguably one of the top online invitation and social planning websites in use today. It has more than 22 million registered users and over 25,000 invitations are sent each hour, according to the website. It’s also free, which means demand is high. Surbo decided to take a look under the hood after a friend sent him an Evite message sometime in 2006.

“I hadn’t heard of Evite, so I started to explore the 1.0 version,” Surbo said in an interview. “I quickly learned that I had the ability to become the host and make comments. I could also make comments as other people.”

Knowing that version 2.0 was in the works, Surbo withheld final judgment until he could see the latest version. Unfortunately, he said, version 2.0 is even worse.

Also see “The seven deadly sins of social networking security”

“With today’s 2.0 version I can do what I did before, but now I don’t have to know your name or e-mail address,” he said. “You just need the ID now. It’s a skeleton key into every invite.”

He continued: “If I’m invited, I open it and inspect the code, I can search for the ID, see everyone invited and get into their account and I can say this one is coming or that one is not.”

At the end of his analysis, Surbo compiled the following laundry list of problems:

• He can impersonate people
• He can control what’s happening on the invite. “If you make a statement that the sky is blue, I can go in and remove that comment,” he said.
• He can send a command to delete a message from someone else.
• He can e-mail anyone on the guest list and leave the host out of it. “I can pretend to be the host and say hey, it’s a costume party. Come in costume,” he said. “You need to use an authenticated cookie, but you don’t have to use the host authentication cookie. And the cookies don’t expire. I can use them over and over again.”
• He can delete guests. “If I don’t get along with someone I can remove them from the party list.”
• He can see user info. “If I have your e-mail I can dig into your API and get all your personal information” — birth dates and such.

There are two kinds of Evite: public and private, Surbo said. On a private invite — for a company Christmas party, for example — he can go into individuals’ invite copies and dump the entire guest list. On a private invite comments are disabled but he can use the host e-mail to see if they are logged in.

Surbo has found that cross-site scripting flaws have existed on the Evite website for years. It’s those flaws that allow him to delete the host as well as the guest.

“I can send you another e-mail as yourself using an authenticated cookie,” he said. “I can say this is Evite, I need you to click the link below to fix the problem. I can make it look very official, with Evite graphics, and then you click on what could be a malicious link.”

He had been in contact with Evite in the past, when they had fake adware on their site that needed cleaning up. He knew the e-mail from before and told them what he could do as the host. His first message to them regarding these newly-found flaws was June 24, 2010. “They immediately wrote back. At that point, I knew they were working on 2.0 and didn’t push too hard, figuring fixes were being made. But 2.0 is worse,” he said.

He contacted Evite again and found them appreciative. They said they’d give him credit for finding the problems. He gave them details. Only one problem — a link forgery flaw — was fixed.

“I checked in regularly and asked if something was fixed, but never got responses back after that,” he said. “It was up to me reaching out to them.”

The last call was a couple of weeks ago. He got no response.

(CSOonline contacted Evite separately, but had not received a response by the time of this writing. If future contact is made, this article will be updated.)

“A lot of people say to me, I’m so glad I never used (Evite). That’s not the problem, though,” Surbo said. “Even if you don’t use it, if you’re on a list I can access all of your information and do spamming or send false messages.”

Surbo concluded that there’s really no safe way to use Evite until they make the changes he contacted them about. “They need to look at how they are authenticating the code,” he said.

As a courtesy to Evite, he left out true links people could use to target the API during his talk.