In Facebook Events, admin is able to invite a user to his “private” Event through user email address and anyone who is in the guest list (Already invited to the private event) will be able to invite any user by user’s facebook account. The invited person will have 3 options to respond to the invitation received (“Going”, “Maybe” or by “Can’t Go”).
A malicious user is able to DoS “private” Events wall where the admin/host of the event will no longer be able to access/moderate the event
UserA: Victim - Admin
UserA will create a “private” Event.
UserA wil invite UserC to the event through UserC’s email address.
UserB will invite UserC through UserC’s facebook account.
UserC will respond to UserA invitiation by email address by “Can’t Go” option where UserC will be redirected to his facebook account where he will choose the option “Respond as [UserC’s facebook account name]” and perform his action.