Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers.
The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts.
These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim’s site.
On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world.
But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA — if 2FA was enabled for
HackerOne’s list was topped by cross-site scripting, and found improper access control and SSRF vulnerabilities to be climbing in number and risk potential.
Bug bounty platform HackerOne has released its list of the most commonly discovered security vulnerabilities for 2020, with the 10 vulnerabilities listed accounting for $23.5 million in payouts to white hat hackers hunting down bugs and reporting them on its platform.
As the COVID-19 pandemic continues, businesses of all kinds have been forced to go digital faster than they may have planned, leading to a whole host of new potential security vulnerabilities.
“Tens of millions of workers started working remotely whether or not they were ready,” said HackerOne senior director of project management, Miju Han. “With this accelerated pace of digital transformation, CISOs had to quickly facilitate new needs while ensuring the security of existing systems.”
Lists like this one from HackerOne are invaluable information
Many of the exploits discovered by cyber security researchers are often found and patched before the public is even made aware of the problem or actual exploits are found out in the wild. A recently discovered flaw reported by Sergei Glazunov of Google’s Project Zero earlier this week, however, was actively being exploited according to a post on the Chrome Releases Google blog. Buried towards the end of the post, it states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”
CVE-2020-15999 was already patched along with a handful of other security bugs found in Google’s popular Chrome browser and Chrome OS (the operating system used on Chromebooks). CVE-2020-15999 is a 0-day heap buffer overflow memory corruption bug present s in the FreeType font rendering library, which is a part of Google Chrome and Chrome