2FA bypass discovered in web hosting software cPanel

More than 70 million sites are managed via cPanel software, according to the company.

cPanel login

Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers.

The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.

Also: Best web hosting services 2020: Wix, WordPress, and more

These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim's site.

On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.

But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for an account.

While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today.

Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner.

While this might make some website owners think the bug is not important, it's actually the opposite since 2FA solutions were invented in the first place to protect against the use of phished credentials, and, as a result, any 2FA bypass like this bug needs to be treated with the utmost urgency and attention.

The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.

Website owners who use 2FA on their cPanel login can see if their web hosting provider has rolled out the update to their cPanel installation by checking the platform's version number.

Per cPanel's security advisory, the 2FA bypass issue has been patched in cPanel & WHM software 11.92.0.2, 11.90.0.17, and 11.86.0.32.

Users should not disable 2FA for their cPanel accounts because of this bug, but should instead request that their web hosting providers update the cPanel installation to the latest version.

A cPanel spokesperson was not immediately available for comment.