Researchers have uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform. cPanel &WHM version (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.

Notify of

1 Expert Comment
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
November 26, 2020 1:41 pm

cPanel’s 2-factor authentication could be bypassed because it did not lock users out for failed attempts. This and a lack of rate-limiting meant that attackers could use a script to simply try every possible 2-factor code until they found the right one. The result is that this 2-factor implementation was little more than window dressing.

Last edited 2 years ago by Craig Young
Information Security Buzz
Would love your thoughts, please comment.x