An anonymous reader quotes a report from ZDNet: Security researchers have
discovered a major security flaw in cPanel, a popular software suite used
by web hosting companies to manage websites for their customers. The bug,
discovered by security researchers from Digital Defense, allows attackers
to bypass two-factor authentication (2FA) for cPanel accounts. These
accounts are used by website owners to access and manage their websites
and underlying server settings. Access to these accounts is critical, as
once compromised, they grant threat actors full control over a victim’s
site. On its website, cPanel boasts that its software is currently used
by hundreds of web hosting companies to manage more than 70 million
domains across the world. But in a press release today, Digital Defense
says that the 2FA implementation on older cPanel & WebHost Manager (WHM)
software was vulnerable to brute-force attacks that allowed threat actors
to guess URL parameters and bypass 2FA — if 2FA was enabled for an
account. While brute-forcing attacks, in general, usually take hours or
days to execute, in this particular case, the attack required only a few
minutes, Digital Defense said today. Exploiting this bug also requires
that attackers have valid credentials for a targeted account, but these
can be obtained from phishing the website owner. The good news is that
Digital Defense has privately reported the bug, tracked as SEC-575, to
the cPanel team, which has already released patches last week. …
