Yesterday I had a very big issue when a customer called me for help regarding an employee that he had to fire and wanted that all the emails that the employee had on his account should not be deleted by the employee.
I told him that he could do a backup of all the emails prior to tell the employee that he will be ceased. I also told him to change the email password so the customer will not have access to the account and he did it accordingly.
Well, the employee was fired and a few minutes later all the emails were gone, the account with more that 12,000 emails were empty.
My customer called me asking why the emails were deleted if the email account was changed, I couldn't answer on that moment what happened but after seeing the server logs I realized that the employee had the webmail open and even that the password was changed he had complete actions in webmail and deleted everything, all emails gone.
Thanks God he did the backup, but what I see is a security FLAW in cPanel that I have tried and is working you can do it yourself:
Try to do this yourselft for testing:
1. Open a webmail account and don't close it.
2. Go to cPanel and change the password for that account.
3. On the webmail that is still open, send emails or delete them, everything will work.
So, what happened?
It seems that cPanel is not closing connections on IMAP for the account that has changed the password and the connection that is alive could do anything.
I have reported this to cPanel but the answer that I received was not what I wanted to hear from them, so, I am telling this story for you to take care when you have any of the following scenarios:
- If an email is compromised and the hacker has the connection open in IMAP, the hacker could still send thousands of emails even if the email account has a new password. (This one is my biggest concern).
- If you don't want any one to continue using his email account right away.
For me the easy way to fix this is that cPanel could send a close IMAP connection to the account immediately when the new password is saved.
Your thoughts?
Sergio
I told him that he could do a backup of all the emails prior to tell the employee that he will be ceased. I also told him to change the email password so the customer will not have access to the account and he did it accordingly.
Well, the employee was fired and a few minutes later all the emails were gone, the account with more that 12,000 emails were empty.
My customer called me asking why the emails were deleted if the email account was changed, I couldn't answer on that moment what happened but after seeing the server logs I realized that the employee had the webmail open and even that the password was changed he had complete actions in webmail and deleted everything, all emails gone.
Thanks God he did the backup, but what I see is a security FLAW in cPanel that I have tried and is working you can do it yourself:
Try to do this yourselft for testing:
1. Open a webmail account and don't close it.
2. Go to cPanel and change the password for that account.
3. On the webmail that is still open, send emails or delete them, everything will work.
So, what happened?
It seems that cPanel is not closing connections on IMAP for the account that has changed the password and the connection that is alive could do anything.
I have reported this to cPanel but the answer that I received was not what I wanted to hear from them, so, I am telling this story for you to take care when you have any of the following scenarios:
- If an email is compromised and the hacker has the connection open in IMAP, the hacker could still send thousands of emails even if the email account has a new password. (This one is my biggest concern).
- If you don't want any one to continue using his email account right away.
For me the easy way to fix this is that cPanel could send a close IMAP connection to the account immediately when the new password is saved.
Your thoughts?
Sergio