ShmooCon: Eavesdropping easy on Evite

A security researcher at ShmooCon shows how to harvest personal information on the Evite site

Web service Evite offers more than a convenient way to send out e-mail invitations to events. For those with even a modest amount of malicious gumption, the site can also provide a treasure trove of personal information, at least according to one security researcher.

Even without an Evite invitation to a particular event, "We can see who is invited. We can remove guests, read messages, log in as a guest and comment as any guest," said security consultant Trent Lo, speaking at the ShmooCon hacker conference held last weekend in Washington, D.C. Both public and private invites are susceptible to attack, he said.

Founded in 1997, Evite is one of the Web's oldest and most popular online services. The site allows individuals to send e-mail invitations for an event and set up a corresponding Web page that displays the names of those attending, not attending and mulling the idea of attending. The company claims to have more than 27 million users and sends out more than 25,000 invitations an hour.

However, the site has a number of large design flaws that make it easy for someone to harvest information from the invitations, Lo maintains. He demonstrated a number of techniques that a malicious user could employ to gain access to a particular invitation, mostly by manipulating both a 30-character string that is the event ID ("EID"), and a 30-character string for the guest ID ("GID").

By knowing an event ID (many of which can be found using a Google search), an outside user can access a page. To do this, the person would log in using a guest ID that Lo has disclosed. He says Evite created the ID for the purpose of sharing information with Facebook.

Once on the Evite page, the intruder could harvest all sorts of additional information, such as other guest IDs and e-mail addresses. Lo demonstrated how to do this using the Google Chrome browser. One of the options Chrome offers is the "inspect element" feature, which when clicked while hovering over the list of possible attendees provides the guest IDs and e-mail addresses, even if they are not visible on the screen, or as part of the source code for the Web page itself.

With this information, a malicious user can also sign in as one of those users, leave comments or change RSVP replies. "Anything that is on Evite, you can update. You can add things that shouldn't be there," he said. One could even send a message as the host, though in order to do that, the user would need an identifying cookie. "But the thing is, you can use anyone's cookie. And they never expire," Lo said.

Evite denies that it is providing any more access than is necessary for a public-facing Web service, and that user data is being kept confidential. "The issues raised around host impersonation and guest list data vulnerability have been investigated and resolved," an Evite spokesperson responded by e-mail.

"It is important to note that any Evite invitation sent through the Evite system is only available to those who were invited by the host of that event. Hosts can choose to share their events publicly and allow friends to add themselves to the guest list. This is not a security issue, but a feature used by some Evite hosts," the spokesperson added.

However, IDG News Service confirmed that a user was able to access an event found on the Internet using only the Facebook guest ID. For a private event in which the user was already a guest, that user was able to log on and leave messages as another guest, by changing the GID of the link.

Lo said he has contacted Evite a number of times to report problems. The company has fixed a few of the issues he reported, but has not responded to the ones he presented at the conference. Evite has acknowledged that the company has spoken with Lo in the past.

"To ensure that all vulnerabilities have been addressed Evite will continue to engage with the tech community and will work with outside security firms," the Evite spokesperson said. "Evite takes privacy and security of user information very seriously."

Lo said the problems are systemic, however, and cannot be easily fixed without a redesign of the entire service.

"There's no fixing this. This is broken from the get-go," Lo said.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitysocial mediainternetsocial networkingdata protectionInternet-based applications and servicesAccess control and authenticationExploits / vulnerabilitiesEvite

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Brand Post

Bitdefender 2018

With determination and drive, you achieve outstanding performance! Get Bitdefender Total Security 2018 Now!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?