PhishingPlace!! Phishing with a facebook help.
As most of us that works with pentesting and security assessment know doing a good enumeration is essential for better results. So during a phishing campaign we were trying to enumerate some of the services that the whole company could use, not just a financial service or IT tool. During a hard time I remember that my company just presented us with a facebook tool called Workplace. So I decided to take a look, for that I enumerate a bunch of emails with some tools and google dorks and just tried to see if when trying that in workplace return some user wrong error, password error or something else.
It was pleasant to see that Workplace had return an error, but in URL they show that company really uses the workplace so we could enumerate the company that uses workplace just sending a fake email like ola@facebook.com.
Continuing the test the workplace showed different error messengers for some users, cool now we could enumerate users by the error messenger that they return.
It was tried to report to Facebook that “bug”, but they said that is ok for them and accept the risk. Them for me if it’s not a bug must be a feature, so let’s have fun.
At the end, I used the workplace login page to do a awesome phishing campaign. Thanks Facebook.