Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED App for Android bypassing 2FA

Discussion in 'Security' started by ijsaul, Feb 5, 2019.

  1. ijsaul

    ijsaul Member

    Joined:
    Feb 19, 2015
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Hello All,

    I recently revisited my interest in trying to manage some basic functions for my WHM servers via Android app, and the below one seemed to be decently rated in the Google Play Store. I recalled having read how these apps may not function correctly with 2FA enabled, so I wasn't expecting too much.

    However, I was VERY surprised to see that by using this app along with root password alone, I can login and manage quite a few things on both of my serves, COMPLETELY bypassing the need for 2FA.

    I was under the impression that two-factor was enforced for all root logins, so how is this possible?

    - Removed -
     
    #1 ijsaul, Feb 5, 2019
    Last edited by a moderator: Feb 5, 2019
  2. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,910
    Likes Received:
    484
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. ijsaul

    ijsaul Member

    Joined:
    Feb 19, 2015
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thank you, I'm certainly aware that the app I posted was not affiliated with cPanel.

    I'm wondering how it is possible that this application is bypassing what I thought was a requirement for login, namely 2FA.

    This seems like a security concern to me.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,910
    Likes Received:
    484
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. ijsaul

    ijsaul Member

    Joined:
    Feb 19, 2015
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    It is enabled, and has been a requirement for login on this server.

    What I'm saying is that this application is bypassing my enabled 2FA.

    How is bypassing 2FA possible.
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,910
    Likes Received:
    484
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I can't answer that. I don't use the app or have an android to test to confirm the issue from here. Please feel free to open a ticket directly to cPanel Technical Support if you suspect and issue with Two-Factor authentication on your server.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ijsaul

    ijsaul Member

    Joined:
    Feb 19, 2015
    Messages:
    8
    Likes Received:
    1
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    I understand.

    Thank you for the direction.

    You may want to leave a link to the application with a note, as this app may be a security concern to others, and having this information out there would be useful.

    I'll explore with support and provide follow up later on.
     
  8. Infopro

    Infopro cPanel Sr. Product Evangelist Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,910
    Likes Received:
    484
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Please do. Thanks!

    I think removing the link from your post is best, no need to make it any more available than it might be otherwise.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,334
    Likes Received:
    2,162
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @ijsaul,

    You'll need to access WHM >> Configure Security Policies to extend the Two-Factor Authentication security policy to API requests. This will ensure it's enforced for third-party applications that make use of API calls for login purposes. You can read more about this option at:

    Configure Security Policies - Version 76 Documentation - cPanel Documentation

    Let me know if you have any questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Infopro likes this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice