July 15, 2024

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Until this past weekend, Squarespace’s website had an option to log in via email.

The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors’ cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks.

But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

What’s more, Monahan said, Squarespace did not require email verification for new accounts created with a password.

“The domains being migrated from Google to Squarespace are known,” Monahan said. “It’s either public or easily discernible info which email addresses have admin of a domain. And if that email never sets up their account on Squarespace — say because the billing admin left the company five years ago or folks just ignored the email — anyone who enters that email@domain in the squarespace form now has full access to control to the domain.”

The researchers say some Squarespace domains that were migrated over also could be hijacked if attackers discovered the email addresses for less privileged user accounts tied to the domain, such as “domain manager,” which likewise has the ability to transfer a domain or point it to a different Internet address.

Squarespace says domain owners and domain managers have many of the same privileges, including the ability to move a domain or manage the site’s domain name server (DNS) settings.

Monahan said the migration has left domain owners with fewer options to secure and monitor their accounts.

“Squarespace can’t support users who need any control or insight into the activity being performed in their account or domain,” Monahan said. “You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides.”

The researchers have published a comprehensive guide for locking down Squarespace user accounts, which urges Squarespace users to enable multi-factor authentication (disabled during the migration).

“Determining what emails have access to your new Squarespace account is step 1,” the help guide advises. “Most teams DO NOT REALIZE these accounts even exist, let alone theoretically have access.”

The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access in Google Workspace.

“If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller,” the help document explains. “This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It’s easier to secure one account than two.”

Update, July 23, 1:50 p.m. ET: Squarespace has published a post-mortem about the incident. Their statement blames the domain hijacks on “a weakness related to OAuth logins”, which Squarespace said it fixed within hours, and contradicts the findings presented by the researchers above. Here are the relevant bits from their statement:

“During this incident, all compromised accounts were using third-party OAuth. Neither Squarespace nor any third-party authentication provider made any changes to authentication as part of our migration of Google Domains to Squarespace. To be clear, the migration of domains involved no changes to multi-factor authentication before, during or after.”

“To date there is no evidence that Google Workspace accounts were or are at risk, and we have received no customer reports to this effect. As a reseller, Squarespace manages billing but customers access Workspace directly using their Google account.”

“Our analysis shows no evidence that Squarespace accounts using an email-based login with an unverified email address were involved with this attack.”


12 thoughts on “Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

  1. LarryF

    This isn’t just last week. Over a month ago I went to the website for a local business and was directed to a porn site. That has since been fixed.

  2. JJ

    “Sometime in the last 24 hours, Squarespace removed the ability for people to create an account with just an email address. ”

    I just went to their website and they allow email address and other options

  3. Dennis

    It’s a shame that Google just dumped us on that company. They have done it so many times before that I thought I learned my lesson. I’ve been trying to move my domains from Squarespace after I reviewed their control panel. And it’s been quite a pain to migrate your domains out.

    1. Brian Fiori (AKA The Dean)

      Did they not explain that the domain would now be under Squarespace? It seems Rudi, the commenter posting after you on 7/16, understood the option. I think by not acting, you made the choice to stay with Squarespace. Google deserves plenty of criticism for some of their decisions/actions. But I’m not sure it’s their responsibility to police the actions of the company that purchased one of their properties. Own your decision to stay with Squarespace.

  4. Rudi

    I migrated out from Google Domains right after they announced selling to Squarespace last year, really didn’t see this coming, glad I make a right decision after all.

  5. JMagdelena

    This is the SEAL and SEAL 911 teams, not individual researchers I think.

  6. essayltd

    This incident with Squarespace domain hijacks is quite concerning, especially for businesses relying on their domain’s security. The oversight regarding email-based logins has exposed a significant vulnerability, as illustrated by the targeted attacks on cryptocurrency businesses. The transition from Google Domains to Squarespace seems to have left many users unprepared, with potentially devastating consequences.

  7. William

    “Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.”

    Migrations are complex, but this should CERTAINLY have come up in design phase. I think this boils down to the same issues the industry has with troubleshooting, they do not run through enough scenarios and include enough different people in brainstorming these processes.

  8. Susan Henry

    SACLUX COMPTECH SPECIALST NEVER DISAPPOINT
    This happened to me recently someone got my wallet hacked and my BTC was stolen, I contacted 2 tech but they took my money.This might had Happened To you or IF anyone or someone you know has been scammed, it is crucial to notify the proper authorities as soon as possible to help to recover lost funds and to prevent others from being victimized. Just After many trials , I Hired SACLUX COMPTECH SPECIALST They Investigated,Track and traced it back to the wallet where my BTC went through. I thought that was the end but fortunately for me, I got it back real quick with the help of Saclux Comptech Specialst He is legit and very diligent with his work. Hire their service & Thank me late

    1. an_n

      I don’t believe you Susan Henry. I don’t even believe that’s your name.

  9. michal sam

    this article is interesting to read but it is about domain security and this information is useful. you can check https://libgenis.net for more information

Comments are closed.