SOLVED App for Android bypassing 2FA

ijsaul · Feb 5, 2019

Hello All,

I recently revisited my interest in trying to manage some basic functions for my WHM servers via Android app, and the below one seemed to be decently rated in the Google Play Store. I recalled having read how these apps may not function correctly with 2FA enabled, so I wasn't expecting too much.

However, I was VERY surprised to see that by using this app along with root password alone, I can login and manage quite a few things on both of my serves, COMPLETELY bypassing the need for 2FA.

I was under the impression that two-factor was enforced for all root logins, so how is this possible?

- Removed -

Infopro · Feb 5, 2019

I've removed your link, that app is not affiliated with cPanel. This is the official cPanel app on googleplay:
https://play.google.com/store/apps/details?id=com.cpanel.android&hl=en

ijsaul · Feb 5, 2019

Thank you, I'm certainly aware that the app I posted was not affiliated with cPanel.

I'm wondering how it is possible that this application is bypassing what I thought was a requirement for login, namely 2FA.

This seems like a security concern to me.

Infopro · Feb 5, 2019

TFA is not enabled by default, you enable it if you wish to use it.
Two-Factor Authentication for WHM - Version 76 Documentation - cPanel Documentation

ijsaul · Feb 5, 2019

It is enabled, and has been a requirement for login on this server.

What I'm saying is that this application is bypassing my enabled 2FA.

How is bypassing 2FA possible.

Infopro · Feb 5, 2019

I can't answer that. I don't use the app or have an android to test to confirm the issue from here. Please feel free to open a ticket directly to cPanel Technical Support if you suspect and issue with Two-Factor authentication on your server.

ijsaul · Feb 5, 2019

I understand.

Thank you for the direction.

You may want to leave a link to the application with a note, as this app may be a security concern to others, and having this information out there would be useful.

I'll explore with support and provide follow up later on.

Infopro · Feb 5, 2019

Please do. Thanks!

I think removing the link from your post is best, no need to make it any more available than it might be otherwise.

cPanelMichael · Feb 5, 2019

Hello @ijsaul,

You'll need to access WHM >> Configure Security Policies to extend the Two-Factor Authentication security policy to API requests. This will ensure it's enforced for third-party applications that make use of API calls for login purposes. You can read more about this option at:

Configure Security Policies - Version 76 Documentation - cPanel Documentation

Let me know if you have any questions.

Thank you.

Thread starter	Similar threads	Forum	Replies	Date
N	Handler for application/x-httpd-ea-php72 returned invalid result code 70014	Security	6	Aug 31, 2022
C	How to allow port 2195 for Apple Push Notification in CentOS with WHM/cPanel?	Security	4	Jul 25, 2022
	Question about: cPhulk contains outdated country code IP lists after applying a major version updates to cPanel	Security	4	May 3, 2022
S	Apple Mail client constantly blocked for port scanning	Security	19	Apr 20, 2022
L	As I have applied auto HTTPS:// for some other domains and worked WITHOUT HAVING SSL???	Security	6	Jan 11, 2022

Search

Search

SOLVED App for Android bypassing 2FA

ijsaul

Member

Infopro

Well-Known Member

ijsaul

Member

Infopro

Well-Known Member

ijsaul

Member

Infopro

Well-Known Member

ijsaul

Member

Infopro

Well-Known Member

cPanelMichael

Administrator