2025-08-06 –, Florentine A
Invitation systems in social media platforms often appear simple, but they can hide critical business logic vulnerabilities. In this talk, I’ll reveal how I exploited these flaws in platforms like Facebook and Snapchat to gain unauthorized access, maintain connections indefinitely, and even block users from their own accounts. These real-world examples demonstrate how overlooked invitation mechanics can expose significant security risks, leading to privacy breaches and persistent access issues. Attendees will gain insight into how these vulnerabilities can be exploited and what measures can be taken to defend against them.
Invitation systems are an essential part of many social platforms, designed to help users connect and engage. However, these systems can also harbor subtle business logic flaws that, when exploited, allow attackers to manipulate their functionality in unexpected ways. This talk uncovers how vulnerabilities in social media invitation mechanisms can lead to severe security risks.
Through detailed examples from Facebook and Snapchat, I'll share how I:
- Discovered a way to create permanent invites in Facebook Groups, granting indefinite access to outsiders.
- Exploited flaws in Facebook's friend management system to stay friends with anyone indefinitely, bypassing their attempts to remove me.
- Broke Snapchat’s invitation system to block legitimate users from accessing their own accounts.
This session will explore the technical and logical breakdowns behind these exploits, showing how these vulnerabilities could be leveraged by attackers for persistent access, privacy violations, and account disruption. Attendees will learn how to identify, prevent, and fix business logic vulnerabilities in their own systems, strengthening the overall security of user interaction workflows.
Ali Kabeel is a Security and Privacy Engineering Lead at Bending Spoons. With a passion for security, Ali has contributed to the discovery of numerous vulnerabilities across major platforms as a Bug Bounty Hunter. He holds a Bachelor’s degree in Computer Science and has published research on microservice security. Ali is committed to advancing web and application security, sharing his knowledge through conference talks, active community engagement and mentoring.