At least a dozen organizations have domain names at the domain registrar Square saw their websites hacked last week. Squarespace purchased all assets of Google domains over the past year, but many customers still haven’t set up their new accounts. Experts say malicious hackers have learned they can take control of any migrated Squarespace accounts that haven’t been registered yet, by providing an email address tied to an existing domain.
Until this past weekend, the Squarespace website had an email login option.
The hacking of the Squarespace domain, which took place between July 9 and July 12, appears to have mainly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Irresistible Domains. In some cases, attackers have managed to redirect stolen domains to phishing sites designed to steal visitors’ cryptocurrency.
New York City-based Squarespace bought nearly 10 million domain names from Google Domains in June 2023, and has been moving those domains to its service ever since. Squarespace did not respond to a request for comment, and did not issue a statement about the attack.
But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed that all users migrating from Google Domains would choose social login options – such as “Continue with Google” or “Continue with Apple” – as it contradicts the “Continue by email” option.
Taylor Monahanlead product manager at Metamask, said Squarespace did not address the possibility that a threat actor could sign up for an account using an email associated with a newly migrated domain before the legitimate email owner created the account himself.
“So there’s nothing stopping them from trying to log in via email,” Monahan told KrebsOnSecurity. “And since there’s no password for the account, it just snaps them into the ‘create your new account password’ flow. And since the account is started on the back end, they now have access to the domain in question. “
Sometime in the last 24 hours, Squarespace removed the ability for people to create an account with just an email address. That option was available when KrebsOnSecurity created a Squarespace test account on Saturday (it’s unclear if Squarespace ever sent a confirmation email from that signup, but I still haven’t).
In addition, Monahan said, Squarespace does not require email verification for new accounts created with a password.
“Domains being moved from Google to Squarespace are known,” Monahan said. “It can be public or easily identifiable information about which email addresses belong to a domain administrator. And if that email never stops their account on Squarespace – say because the billing director left the company five years ago or people just ignored the email – anyone who enters that email@domain in the Squarespace form now has full control access to the domain. .”
The researchers say that some Squarespace domains that have been moved over could also be hijacked if attackers obtain the email addresses of user accounts that do not have privileges associated with the domain, such as a “domain administrator,” who also has the ability to forward the domain or point to it. a different internet address.
Squarespace says domain owners and domain administrators have many of the same rights, including the ability to move a domain or manage domain name server (DNS) settings.
Monahan said the move left domain owners with fewer options for securing and monitoring their accounts.
“Squarespace cannot support users who need any control or insight into the activity that takes place on their account or domain,” Monahan said. “You really can’t control the access different people have. You have no research logs. You do not receive email notifications for certain actions. The owner does not receive email notification of actions taken by the ‘domain manager.’ This is really crazy if you are used to and expect the controls that Google provides.”
Researchers have published a comprehensive guide to closing Squarespace user accounts, encouraging Squarespace users to enable multi-factor authentication (disabled during migration).
“Finding out which emails have access to your new Squarespace account is the first step,” advises the help guide. “Many groups DO NOT see that these accounts exist, let alone have access to them.”
The guide also recommends removing unnecessary Squarespace user accounts, and disabling reseller access to Google Workspace.
“If you purchased Google Workspace through Google Domains, Squarespace is now your authorized reseller,” the help document explains. “This means that anyone who has access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It is easier to protect one account than two.”