It is true that the ‘forget your password’ feature is very important in today’s digital world, especially for users who manage multiple accounts with different passwords since they tend to forget the password for each account. However, many people are unaware that this feature can also be used by malicious actors to gain access to one’s account. In this article, we will show you how attackers can use the ‘forget your password’ feature in cPanel, one of the most popular Linux-based control panels for web hosting accounts to gain access to a user’s account and website.
A security researcher from Sucuri, a website security and protection platform, found malware on a compromised website’s hosting environment. The malware is then used to change the cPanel user password. This allows attackers to access the hosting plan and its associated websites. Once they have gained access to the compromised environment, they can create an SSH or FTP user to re-upload any malicious content after the website is cleaned of all malware and the password is reset.
To successfully modify the password, the attacker needs to change the contact email address first. This is usually accomplished through the cPanel interface. Firstly, the attacker will obtain the victim’s username via the get_current_user(). Afterward, they will run a malicious script with a configured email address (attacker@evil.com), as seen below, so that the contact email address can be changed without the user (victim) ever being notified.
After successfully running the code above, the contact email address in .contactemail and .cpanel/contactinfo is updated with the configured email set by the attacker. This means that the attacker can now simply click the ‘forget your password’ feature and change the password easily. Once the password is changed, the attacker can gain access to the user’s site.
One of the ways to prevent the password reset attack is by enabling the two-factor authentication for your account, especially for critical applications that might contain valuable data or that are connected to your business database. By enabling two-factor authentication, every time an attacker tries to break into your account, you will be notified directly as the system will send a one-time password to your mobile phone. This password is needed by the attacker to successfully log in to your account.
As discussed in the article above, the ‘forget your password’ feature can be manipulated by malicious actors to gain access to your account and use it for harmful acts. It is your job to stay vigilant and up to date with the latest cyber threats. Therefore, as one of the IT security experts in Indonesia, DNS keeps on reminding you about the latest cyber threats facing the business world today.
