2FA bypass flaw on cPanel threatens the security of 70 million domains

Hackers were able to try as many 2FA codes as they wanted using brute force methods before landing on the right one

A man using 2FA on his smartphone to access a service on his laptop

A vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform could allow an attacker to bypass two-factor authentication (2FA) and conduct a brute force attack to infiltrate user accounts. 

Such an attack can be accomplished in minutes, according to researchers with Digital Defense, enabling hackers to gain unwarranted access to users’ website management tools and compromise the sites they host on cPanel.

Hosting providers and users can utilise cPanel & WHM as a suite of tools for the Linux operating system to automate server management and web hosting tasks while simplifying the process of web hosting for the user. The platform claims to host more than 70 million domains in total launched on servers using cPanel & WHM.

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability,” said Digital Defense senior vice president of engineering, Mike Cotton. 

“The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

Although 2FA has been widely understood to be a useful added layer of protection above password security, the reliability of which many in the security industry have mixed feelings about, several bypass techniques have been devised lately.

One prominent example from earlier this year is an Android banking trojan that was able to bypass 2FA by compromising a device’s accessibility features. Also discovered in just September were critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard. Exploiting this flaw could allow hackers to infiltrate core Microsoft services, such as Microsoft 365.

Last year, security researcher Piotr Duszynski even launched a tool that could bypass a number of 2FA schemes widely used across platforms such as Gmail and Yahoo.

According to an advisory issued by cPanel, the 2FA cPanel Security Policy didn’t prevent an attacker from repeatedly submitting 2FA codes. This allowed an attacker to bypass the 2FA check using brute force techniques. Essentially, an attacker could try limitless variations of 2FA codes until landing on the right one to access the account. 

To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt. The issue has now been resolved in several builds including 11.92.0.2, 11.90.0.17 and 11.86.0.32.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Acer Taiwan falls victim to cyber attack
hacking

Acer Taiwan falls victim to cyber attack

18 Oct 2021
Marsh McLennan reveals its cyber risk analytics center
risk management

Marsh McLennan reveals its cyber risk analytics center

15 Oct 2021
£100 contactless payment limit could place shoppers at risk, warn industry experts
Policy & legislation

£100 contactless payment limit could place shoppers at risk, warn industry experts

15 Oct 2021
Hackers used MSHTML exploit a week before patches were ready
zero-day exploit

Hackers used MSHTML exploit a week before patches were ready

14 Oct 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021
What is cyber warfare?
Security

What is cyber warfare?

15 Oct 2021