2FA Bypass Discovered In Web Hosting Software cPanel

An anonymous reader quotes a report from ZDNet: Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts. These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim’s site.

On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.