Ali Kabeel
With over a decade of bug hunting experience, Ali Kabeel has uncovered critical vulnerabilities across top tech platforms and ranks second on Snapchat’s Hall of Fame. He’s especially passionate about business logic vulnerabilities—the kinds of flaws rooted in real-world misuse rather than broken code—because they often evade automated scanners yet carry high impact.
Ali is currently a Security and Privacy Engineering Lead at Bending Spoons, where he has led security efforts across major products including Evernote, WeTransfer, and Brightcove. He has published research on microservice security and actively shares his expertise through conference talks, mentoring, and community engagement.
Sessions
What comes to mind when you hear "SaaS data platform"? It's a term that's so common you can make a drinking game out of it. From Customer Data Platforms, Transformation, AI/ML, Warehousing, and Analytics - the list of services these products accomplish never ends. However, one thing is sure - the amount of user and enterprise data these applications process is enormous, especially when adopted by large enterprises. As a Security Engineer focused on advanced product assessments, I have evaluated several prominent SaaS data platforms. Due to their complexity and the sensitivity of the data they process, these products are often vulnerable to intriguing high-risk security issues.
This talk will discuss four common pitfalls in these products' architecture and logic that can expose their customers' critical data. Whether you are new to the industry, a seasoned veteran, or a CISO, you will learn about these modern technologies and how to approach them during a penetration test. As a customer of these products, you will understand the importance of due diligence and confirming that your vendors have received independent security assessments. And as an everyday consumer, you will recognize the risks of companies over-collecting and sharing your data.
Invitation systems in social media platforms often appear simple, but they can hide critical business logic vulnerabilities. In this talk, I’ll reveal how I exploited these flaws in platforms like Facebook and Snapchat to gain unauthorized access, maintain connections indefinitely, and even block users from their own accounts. These real-world examples demonstrate how overlooked invitation mechanics can expose significant security risks, leading to privacy breaches and persistent access issues. Attendees will gain insight into how these vulnerabilities can be exploited and what measures can be taken to defend against them.