Digital Defence has disclosed details of a two-factor authentication vulnerability in web hosting platform cPanel & WebHost Manager (WHM). WHM is the management system behind more than 70 million domains. The vulnerability allowed the two-factor authentication to be subjected to a brute force attack. Digital Defence was able to show it took just minutes for a successful attack to take place.
However, there is a caveat. The attacker would need knowledge of, or access to valid credentials. This narrows the attack surface to stolen credentials or insider attacks. That still means more than 70 million sets of credentials (assuming one per domain). It also means that web hosting firms will need to make sure they have updated all instances of WHM.
cPanel moves to…
Source link