HomeTech PlusTECH & OTHER NEWS2FA bypass discovered in web hosting software cPanel

2FA bypass discovered in web hosting software cPanel

cPanel login

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers.

The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.

These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim’s site.

On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.

But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account.

While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today.

Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner.

While this might make some website owners think the bug is not important, it’s actually the opposite since 2FA solutions were invented in the first place to protect against the use of phished credentials, and, as a result, any 2FA bypass like this bug needs to be treated with the utmost urgency and attention.

The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.

Website owners who use 2FA on their cPanel login can see if their web hosting provider has rolled out the update to their cPanel installation by checking the platform’s version number.

Per cPanel’s security advisory, the 2FA bypass issue has been patched in cPanel & WHM software 11.92.0.2, 11.90.0.17, and 11.86.0.32.

Users should not disable 2FA for their cPanel accounts because of this bug, but should instead request that their web hosting providers update the cPanel installation to the latest version.

A cPanel spokesperson was not immediately available for comment.

By ZDNet Source Link

Technology For You
Technology For Youhttps://www.technologyforyou.org
Technology For You - One of the Leading Online TECHNOLOGY NEWS Media providing the Latest & Real-time news on Technology, Cyber Security, Smartphones/Gadgets, Apps, Startups, Careers, Tech Skills, Web Updates, Tech Industry News, Product Reviews and TechKnowledge...etc. Technology For You has always brought technology to the doorstep of the Industry through its exclusive content, updates, and expertise from industry leaders through its Online Tech News Website. Technology For You Provides Advertisers with a strong Digital Platform to reach lakhs of people in India as well as abroad.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

spot_img

CYBER SECURITY NEWS

TECH NEWS

TOP NEWS