With this information, a malicious user can also sign in as one of those users, leave comments or change RSVP replies. "Anything that is on Evite, you can update. You can add things that shouldn't be there," he said. One could even send a message as the host, though in order to do that, the user would need an identifying cookie. "But the thing is, you can use anyone's cookie. And they never expire," Lo said.

Evite denies that it is providing any more access than is necessary for a public-facing Web service, and that user data is being kept confidential. "The issues raised around host impersonation and guest list data vulnerability have been investigated and resolved," an Evite spokesperson responded by e-mail.

"It is important to note that any Evite invitation sent through the Evite system is only available to those who were invited by the host of that event. Hosts can choose to share their events publicly and allow friends to add themselves to the guest list. This is not a security issue, but a feature used by some Evite hosts," the spokesperson added.

However, IDG News Service confirmed that a user was able to access an event found on the Internet using only the Facebook guest ID. For a private event in which the user was already a guest, that user was able to log on and leave messages as another guest, by changing the GID of the link.

Lo said he has contacted Evite a number of times to report problems. The company has fixed a few of the issues he reported, but has not responded to the ones he presented at the conference.Evite has acknowledged that the company has spoken with Lo in the past.