Even without an Evite invitation to a particular event, "We can see who is invited. We can remove guests, read messages, log in as a guest and comment as any guest," said security consultant Trent Lo, speaking at the ShmooCon hacker conference held last weekend in Washington, D.C. Both public and private invites are susceptible to attack, he said.

Founded in 1997, Evite is one of the Web's oldest and most popular online services. The site allows individuals to send e-mail invitations for an event and set up a corresponding Web page that displays the names of those attending, not attending and mulling the idea of attending. The company claims to have more than 27 million users and sends out more than 25,000 invitations an hour.

However, the site has a number of large design flaws that make it easy for someone to harvest information from the invitations, Lo maintains. He demonstrated a number of techniques that a malicious user could employ to gain access to a particular invitation, mostly by manipulating both a 30-character string that is the event ID ("EID"), and a 30-character string for the guest ID ("GID").

By knowing an event ID (many of which can be found using a Google search), an outside user can access a page. To do this, the person would log in using a guest ID that Lo has disclosed. He says Evite created the ID for the purpose of sharing information with Facebook.

Once on the Evite page, the intruder could harvest all sorts of additional information, such as other guest IDs and e-mail addresses. Lo demonstrated how to do this using the Google Chrome browser. One of the options Chrome offers is the "inspect element" feature, which when clicked while hovering over the list of possible attendees provides the guest IDs and e-mail addresses, even if they are not visible on the screen, or as part of the source code for the Web page itself.