notification when email forwards added as safeguard

[Jared Henderson]

I'm a WordPress developer who has several thousand clients on many different web-hosts, most of which run cPanel.

We've recently uncovered a security exploit likely caused by cPanel password theft, but in each case the hacker added a email forward for each of the users email addresses, forwarding all emails to his own account, presumably so that he could sift through them for other passwords, personal data, etc.

It got me thinking that a very logical extra layer of protection should be added to cPanel. What I propose is this: when an email forward is set up, and email should be sent to the address being forwarded saying basically "an email forward has been set up to address X. If you did this, take no action, if not, log in and delete the forward and change your cPanel password."

The silent nature of email-forwarding hacks makes this a very appropriate failsafe to add. Gmail just instituted very similar policies to safeguard against unwanted email forwards after some high-profile hacking issues, see:

Why do I have a forwarding notice? - Gmail Help
Gmail Forwarding Filter Alerts About Filters Forwarding Email to Other Accounts

Would the developers consider adding this security improvement?

[cPanelJared]

I moved your post to our Feature Requests section, which our developers do review and use to consider future improvements and additions to cPanel.

[cPanelDavidG]

Would the developers consider adding this security improvement?

Depends on how much feedback and what kind of feedback this thread receives.

However, what you mention requires that essentially the server is either rooted already or the cPanel account has been exploited. To do what you mention, they can simply delete any email account, redirect anything anywhere, delete the entire website etc. at that point.

IMHO, it would be better to use the security functionality in cPanel&WHM such as source IP checking when logging in (combined with the security questions), cookie authentication, source IP checking on the cookies, CSRF protection and the multitude of other existing security functionality to avoid being "pwn3d" in the first place.

[monarobase]

+1 for this feature. We have not encountered this problem as we manually reset passwords and don't allow users to reset passwords by e-mail, but it defenetly makes sense for those that do.