Two-Factor Authentication Bypass Flaw Affects 70 Million+ Domains

By   ISBuzz Team
Writer , Information Security Buzz | Nov 26, 2020 05:35 am PST

Researchers have uncovered a previously undisclosed vulnerability affecting the cPanel & WebHost Manager (WHM) web hosting platform. cPanel &WHM version (90.0 Build 5) exhibits a two-factor authentication bypass flaw, vulnerable to brute force attack, resulting in a scenario where an attacker with knowledge of or access to valid credentials could bypass two-factor authentication protections on an account.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
November 26, 2020 1:41 pm

cPanel’s 2-factor authentication could be bypassed because it did not lock users out for failed attempts. This and a lack of rate-limiting meant that attackers could use a script to simply try every possible 2-factor code until they found the right one. The result is that this 2-factor implementation was little more than window dressing.

Last edited 3 years ago by Craig Young

Recent Posts

Would love your thoughts, please comment.x