Bypass cPanel, a provider of popular administrative tools to manage web hosting,<\/p>\n
has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.<\/p>\n
cPanel and WHM (Web Host Manager) offers a Linux-based control panel for users to handle website and server management, including tasks such as adding sub-domains and performing system and control panel maintenance. To date, over\u00a070 million domains\u00a0have been launched on servers using cPanel’s software suite.<\/p>\n
The issue stemmed from a lack of rate-limiting during 2FA during logins, thus making it possible for a malicious party to repeatedly submit 2FA codes using a brute-force approach and circumvent the authentication check.<\/p>\n
Digital Defense researchers said an attack of this kind could be accomplished in minutes.<\/p>\n
“The two-factor authentication cPanel Security Policy did not prevent an attacker from repeatedly submitting two-factor authentication codes,” cPanel said in its\u00a0advisory. “This allowed an attacker to bypass the two-factor authentication check using brute-force techniques.”<\/p>\n
The company has now addressed the flaw by adding a rate limit check to its\u00a0cPHulk\u00a0brute-force protection service, causing a failed validation of the 2FA code to be treated as a failed login.<\/p>\n
This is not the first time the absence of rate-limiting has posed a serious security concern.<\/p>\n
Back in July, video conferencing app Zoom\u00a0fixed a security loophole\u00a0that could have allowed potential attackers to crack the numeric passcode used to secure private meetings on the platform and snoop on participants.<\/p>\n
It’s recommended that cPanel customers apply the patches to mitigate the risk associated with the flaw.<\/p>\n","protected":false},"excerpt":{"rendered":"
Bypass cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have<\/p>\n","protected":false},"author":1,"featured_media":1092,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[37],"tags":[],"yst_prominent_words":[412,391,1303,1301,310,394,260,199],"class_list":["post-1091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackers-news"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=1091"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/1091\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/1092"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=1091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=1091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=1091"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=1091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}