2025-08-06 –, Florentine A
Invitation systems in social media platforms often appear simple, but they can hide critical business logic vulnerabilities. In this talk, I’ll reveal how I exploited these flaws in platforms like Facebook and Snapchat to gain unauthorized access, maintain connections indefinitely, and even block users from their own accounts. These real-world examples demonstrate how overlooked invitation mechanics can expose significant security risks, leading to privacy breaches and persistent access issues. Attendees will gain insight into how these vulnerabilities can be exploited and what measures can be taken to defend against them.
Invitation systems are an essential part of many social platforms, designed to help users connect and engage. However, these systems can also harbor subtle business logic flaws that, when exploited, allow attackers to manipulate their functionality in unexpected ways. This talk uncovers how vulnerabilities in social media invitation mechanisms can lead to severe security risks.
Through detailed examples from Facebook and Snapchat, I'll share how I:
- Discovered a way to create permanent invites in Facebook Groups, granting indefinite access to outsiders.
- Exploited flaws in Facebook's friend management system to stay friends with anyone indefinitely, bypassing their attempts to remove me.
- Broke Snapchat’s invitation system to block legitimate users from accessing their own accounts.
This session will explore the technical and logical breakdowns behind these exploits, showing how these vulnerabilities could be leveraged by attackers for persistent access, privacy violations, and account disruption. Attendees will learn how to identify, prevent, and fix business logic vulnerabilities in their own systems, strengthening the overall security of user interaction workflows.
With over a decade of bug hunting experience, Ali Kabeel has uncovered critical vulnerabilities across top tech platforms and ranks second on Snapchat’s Hall of Fame. He’s especially passionate about business logic vulnerabilities—the kinds of flaws rooted in real-world misuse rather than broken code—because they often evade automated scanners yet carry high impact.
Ali is currently a Security and Privacy Engineering Lead at Bending Spoons, where he has led security efforts across major products including Evernote, WeTransfer, and Brightcove. He has published research on microservice security and actively shares his expertise through conference talks, mentoring, and community engagement.