2FA bypass flaw on cPanel threatens the security of 70 million domains

Hackers were able to try as many 2FA codes as they wanted using brute force methods before landing on the right one

A man using 2FA on his smartphone to access a service on his laptop

A vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform could allow an attacker to bypass two-factor authentication (2FA) and conduct a brute force attack to infiltrate user accounts. 

Such an attack can be accomplished in minutes, according to researchers with Digital Defense, enabling hackers to gain unwarranted access to users’ website management tools and compromise the sites they host on cPanel.

Hosting providers and users can utilise cPanel & WHM as a suite of tools for the Linux operating system to automate server management and web hosting tasks while simplifying the process of web hosting for the user. The platform claims to host more than 70 million domains in total launched on servers using cPanel & WHM.

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability,” said Digital Defense senior vice president of engineering, Mike Cotton. 

“The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

Although 2FA has been widely understood to be a useful added layer of protection above password security, the reliability of which many in the security industry have mixed feelings about, several bypass techniques have been devised lately.

One prominent example from earlier this year is an Android banking trojan that was able to bypass 2FA by compromising a device’s accessibility features. Also discovered in just September were critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard. Exploiting this flaw could allow hackers to infiltrate core Microsoft services, such as Microsoft 365.

Last year, security researcher Piotr Duszynski even launched a tool that could bypass a number of 2FA schemes widely used across platforms such as Gmail and Yahoo.

According to an advisory issued by cPanel, the 2FA cPanel Security Policy didn’t prevent an attacker from repeatedly submitting 2FA codes. This allowed an attacker to bypass the 2FA check using brute force techniques. Essentially, an attacker could try limitless variations of 2FA codes until landing on the right one to access the account. 

To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt. The issue has now been resolved in several builds including 11.92.0.2, 11.90.0.17 and 11.86.0.32.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

29 Jul 2021
Colonial Pipeline hack spurred copycat attacks on other oil and gas companies
hacking

Colonial Pipeline hack spurred copycat attacks on other oil and gas companies

29 Jul 2021
Study finds companies are mishandling cyber security recruitment
cyber security

Study finds companies are mishandling cyber security recruitment

28 Jul 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

28 Jul 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021