cPanel Patches a 2FA Flaw
cPanel is more like a simple dashboard for hosting accounts. It’s used by a number of companies and users in handling their website’s hosting control panel every day. It’s so popular that, over 70 million domains were launched based on cPanel in the last two decades. And now, it’s reported to have a flaw in its 2FA protocol. Discovered by Digital Defense, a vulnerability and threat management firm, it says the cPanel and WebHost Manager (WHM) has a Two-Factor authentication flaw, that would let an attacker with primary credentials access a user’s account. WebHost Manager is just another tool from cPanel for handling the automated server settings. The vulnerability was discovered in the cPanel version 11.90.05, which would let an attacker breach the set 2FA security using the brute-force technique. It’s reported that the attacker can submit 2FA codes repeatedly to bypass the security barrier, and access the user’s hosting account. Digital Defense has reported this to cPanel and had this flaw patched. cPanel in its updated builds of v11.92.0.2, 11.90.0.17, 11.86.0.32 has set a limit to the number of times an attacker can submit the 2FA codes. This limits the brute-force attacks, which would have otherwise be hacked in minutes as noted by Digital Defense. It also mentioned that the hacker should be having the primary credentials to perform this hack.