PhishingPlace!! Phishing with a facebook help.

As most of us that works with pentesting and security assessment know doing a good enumeration is essential for better results. So during a phishing campaign we were trying to enumerate some of the services that the whole company could use, not just a financial service or IT tool. During a hard time I remember that my company just presented us with a facebook tool called Workplace. So I decided to take a look, for that I enumerate a bunch of emails with some tools and google dorks and just tried to see if when trying that in workplace return some user wrong error, password error or something else.

It was pleasant to see that Workplace had return an error, but in URL they show that company really uses the workplace so we could enumerate the company that uses workplace just sending a fake email like ola@facebook.com.

Error page showing company name on Workplace.

Continuing the test the workplace showed different error messengers for some users, cool now we could enumerate users by the error messenger that they return.

Facebook response to my report.

It was tried to report to Facebook that “bug”, but they said that is ok for them and accept the risk. Them for me if it’s not a bug must be a feature, so let’s have fun.

Good to see some brazilians companys using.

Some of then may have to do some changes.

Phizer uses it for it's Science Center, maybe?

It seems like no one likes Google+, not even Google.

https://youtu.be/88FfP8OiWHU

At the end, I used the workplace login page to do a awesome phishing campaign. Thanks Facebook.