Some security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage their clients' websites.
The bug, discovered by Digital Defense security researchers, allows intruders to bypass two-factor authentication (2FA) on cPanel accounts.
These accounts are used by the owners websites to access and manage their websites and their underlying settings server. Access to these accounts is crucial, as once they are breached they give threatening agents full control over the site of a victim.
On its website, cPanel boasts that its software is currently used by hundreds web hosting companies to manage more than 70 million domains worldwide.
But in a press release today, Digital Defense says 2FA in older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threatening agents to guess the URL parameters and bypass 2FA - if 2FA was enabled in a account.
While brute-forcing attacks generally take hours or days to execute, in this specific case, the attack was carried out in just a few minutes, Digital Defense said today.
Also, exploiting this bug requires intruders to have valid ones credentials of a targeted account.
While this may make some website owners think that the bug is not significant, it actually is the opposite, as 2FA solutions were invented to protect against phishing attacks and, as a result, any 2FA bypass as this error should treated with the utmost care.
The good news is that Digital Defense privately reported the bug - which was named SEC-575. Also, the cPanel team released some patches last week.
According to the cPanel security advisory, the 2FA bypass issue has been fixed in cPanel & WHM software 18.104.22.168, 22.214.171.124 and 126.96.36.199.
Users should not disable 2FA for their cPanel accounts because of this error, but should instead ask their web hosting providers to update their cPanel installation to the latest version.