Last week, several organizations with domains registered on Squarespace experienced website takeovers. Approximately a year ago, Squarespace acquired all assets from Google Domains, but a significant number of customers have yet to set up their new accounts. According to experts, malevolent hackers found a way to seize migrated Squarespace accounts that had not been registered by submitting an email address linked to an existing domain.
Up until the last weekend, the Squarespace website featured an option for email login.
The incidents of Squarespace domain hijacks occurred between July 9 and July 12, primarily targeting cryptocurrency enterprises such as Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some instances, the attackers managed to redirect the hijacked domains to fraudulent websites set up to pilfer visitors’ cryptocurrency assets.
Squarespace, based in New York City, acquired approximately 10 million domain names from Google Domains in June 2023 and has been gradually transitioning these domains to its platform ever since. Despite requests for comment, Squarespace has remained silent about the attacks.
An analysis presented by security experts at Metamask and Paradigm suggests that the likely cause of the issue was Squarespace assuming that all Google Domains migrants would choose social login options like “Continue with Google” or “Continue with Apple,” instead of the “Continue with email” alternative.
Taylor Monahan, the lead product manager at Metamask, mentioned that Squarespace did not anticipate the scenario where a malicious actor could register an account using an email associated with a recently migrated domain before the rightful email owner set up their account.
According to Monahan, Squarespace did not enforce email verification for newly created accounts with passwords.
Indicating the flaws in Squarespace’s system, Monahan stated, “The domains being transferred from Google to Squarespace are identifiable. It’s either publicly known or easily determined which email addresses have administrative control over a domain. If the legitimate email doesn’t set up the account on Squarespace – perhaps because the billing administrator departed from the company several years ago or if individuals merely overlooked the email – anyone entering that email@domain in the Squarespace form can gain complete domain control.”
The analysts further elaborate that certain Squarespace domains transferred over could also be hijacked if attackers identified email addresses linked to less privileged user accounts associated with the domain, such as “domain manager,” which also possesses the capability to transfer or redirect a domain to another web address.
Squarespace confirms that domain owners and domain managers share similar privileges, including the ability to migrate a domain and manage the site’s domain name server (DNS) settings.
Monahan highlighted that the migration has limited domain owners’ options to secure and supervise their accounts.
Stressing the restrictions faced by users, Monahan expressed, “Squarespace fails to assist users seeking control and visibility into the actions conducted within their account or domain. You essentially lack authority over various access levels granted to individuals. There are no audit trails. Some actions don’t trigger email notifications. The owner won’t receive email alerts for actions taken by a ‘domain manager.’ This setup is absolutely illogical if you’re accustomed to and expect the controls provided by Google.”
The analysts have released a detailed manual explaining how to secure Squarespace user accounts, which recommends users to enable multi-factor authentication (which was disabled during the migration).
Detailing the initial steps in securing the account, the manual suggests, “Identifying which emails have access to your new Squarespace account is the first step. Most teams are unaware of these accounts’ existence, let alone their potential access.”
Further recommendations include removing unnecessary Squarespace user accounts and deactivating reseller access in Google Workspace.
Explaining the risks, the document states, “If you acquired Google Workspace through Google Domains, Squarespace is now your certified reseller. This signifies that anyone with access to your Squarespace account also holds a backdoor into your Google Workspace unless explicitly turned off by following the provided instructions, which is highly recommended for improved security.”
Update, July 23, 1:50 p.m. ET: Squarespace has issued a post-incident report regarding the event. Their statement attributes the domain hijacks to “a vulnerability related to OAuth logins,” which Squarespace claimed to have rectified promptly, contradicting the researchers’ conclusions. Extracts from their statement are provided below:
“Throughout this event, all compromised accounts had employed third-party OAuth. Neither Squarespace nor any third-party authenticator adjusted the authentication process during the domain migration from Google Domains to Squarespace. It should be noted that this domain transition did not involve any modifications to multi-factor authentication pre, during, or post-migration.”
“Currently, there is no evidence of any compromise to Google Workspace accounts, and no complaints have been received from customers regarding this matter. As a reseller, Squarespace handles billing, but clients directly access Workspace using their Google credentials.”
“Our assessment revealed no indication that Squarespace accounts utilizing email-based login with an unverified email address were linked to this attack.”
About Author
