mayorredbeard
Daemon Poster
- Messages
- 1,246
I was bored, and decided to put /cPanel after the url of a lot of websites. For many of which that brings up a control panel login, and from which you can pretty much do as you please with the site.
Suprisingly a lot of sites use this tool, and very easily i was able to bring up the login screen without any preliminary screening. I would think that sites, (especially the sites that contained sensitive information such as SSN's, credit card numbers, etc. etc) would do something to prevent me from even acessing the cPanel login screen, such as an IP filter. Or some kind of extra layer of security. Of the 20 websites (all either ecommerce sites in which sensitive information could be obtained from) i tested (i wont disclose the URL's so people with malicious intent don't do anything stupid), 15 of them I was able to easily acess the cPanel page.
Anyone whos ever run a website knows that there is a default login to most adminastration tools. Very common usernames and passwords. Right now i can think of about 10 different common usernames and about 5 common passwords. By simply trying combinations of the both (i was bored, shutup, this is what i do with my free time :-D) i was able to get adminastrative access to 5 of the sites.
Is this just dumb luck on my part, or does this pose a security threat? I mean, lots of people buy things online, and if i wanted to i could of either setup a fake site on the domain so certain information would be sent to my inbox when a client submitted an order, or some other evil thing to obtain sensitive information.
I've never really tried hacking before, (if you can call it that), but this just seems too simple. This post is both a warning to people who have not changed their default cpanel login, and a shocking story that should reveal to all of us that buying things on the internet is not as safe as it may seem.
EDIT: Every site that i was able to get adminastrative access to i informed the owner of the website of what i did (annominously of course ), and told them they should change their password.
Suprisingly a lot of sites use this tool, and very easily i was able to bring up the login screen without any preliminary screening. I would think that sites, (especially the sites that contained sensitive information such as SSN's, credit card numbers, etc. etc) would do something to prevent me from even acessing the cPanel login screen, such as an IP filter. Or some kind of extra layer of security. Of the 20 websites (all either ecommerce sites in which sensitive information could be obtained from) i tested (i wont disclose the URL's so people with malicious intent don't do anything stupid), 15 of them I was able to easily acess the cPanel page.
Anyone whos ever run a website knows that there is a default login to most adminastration tools. Very common usernames and passwords. Right now i can think of about 10 different common usernames and about 5 common passwords. By simply trying combinations of the both (i was bored, shutup, this is what i do with my free time :-D) i was able to get adminastrative access to 5 of the sites.
Is this just dumb luck on my part, or does this pose a security threat? I mean, lots of people buy things online, and if i wanted to i could of either setup a fake site on the domain so certain information would be sent to my inbox when a client submitted an order, or some other evil thing to obtain sensitive information.
I've never really tried hacking before, (if you can call it that), but this just seems too simple. This post is both a warning to people who have not changed their default cpanel login, and a shocking story that should reveal to all of us that buying things on the internet is not as safe as it may seem.
EDIT: Every site that i was able to get adminastrative access to i informed the owner of the website of what i did (annominously of course ), and told them they should change their password.