2FA bypass flaw on cPanel threatens the security of 70 million domains

Hackers were able to try as many 2FA codes as they wanted using brute force methods before landing on the right one

A man using 2FA on his smartphone to access a service on his laptop

A vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform could allow an attacker to bypass two-factor authentication (2FA) and conduct a brute force attack to infiltrate user accounts. 

Such an attack can be accomplished in minutes, according to researchers with Digital Defense, enabling hackers to gain unwarranted access to users’ website management tools and compromise the sites they host on cPanel.

Hosting providers and users can utilise cPanel & WHM as a suite of tools for the Linux operating system to automate server management and web hosting tasks while simplifying the process of web hosting for the user. The platform claims to host more than 70 million domains in total launched on servers using cPanel & WHM.

“Our standard practice is to work in tandem with organizations on a coordinated disclosure effort to facilitate a prompt resolution to a vulnerability,” said Digital Defense senior vice president of engineering, Mike Cotton. 

“The Digital Defense VRT reached out to cPanel who worked diligently on a patch. We will continue outreach to customers ensuring they are aware and able to take action to mitigate any potential risk introduced by the vulnerability.”

Although 2FA has been widely understood to be a useful added layer of protection above password security, the reliability of which many in the security industry have mixed feelings about, several bypass techniques have been devised lately.

One prominent example from earlier this year is an Android banking trojan that was able to bypass 2FA by compromising a device’s accessibility features. Also discovered in just September were critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard. Exploiting this flaw could allow hackers to infiltrate core Microsoft services, such as Microsoft 365.

Last year, security researcher Piotr Duszynski even launched a tool that could bypass a number of 2FA schemes widely used across platforms such as Gmail and Yahoo.

According to an advisory issued by cPanel, the 2FA cPanel Security Policy didn’t prevent an attacker from repeatedly submitting 2FA codes. This allowed an attacker to bypass the 2FA check using brute force techniques. Essentially, an attacker could try limitless variations of 2FA codes until landing on the right one to access the account. 

To fix the situation, incorrect 2FA codes are now treated as the equivalent of a failed password validation attempt. The issue has now been resolved in several builds including 11.92.0.2, 11.90.0.17 and 11.86.0.32.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022