Multiple firms managing their domain names through domain registrar Squarespace have reported instances of hijacking in the last week. The Squarespace domain hijacking was a result of security flaws following Squarespace’s acquisition of Google Domains assets last year. Former customers of Google domains became victims of the hijack after they failed to open an account on the platform.
Squarespace Domain Hijacking in Detail
In June 2023, Squarespace, based in New York City, secured nearly 10 million domain names from Google Domains and has been gradually transferring these domains to its own service.
The exploitation of domain hijacking primarily took place from July 9-12. The cyberattackers primarily targeted Bitcoin companies like Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains.
According to an article by KrebOnSecurity, the attackers were able to take control of Squarespace accounts that migrated without Google registration and instead used an email address linked to the domain. In a few cases, criminals redirected the hijacked domains to phishing websites that were designed to steal cryptocurrency funds from unsuspecting individuals.
As of publication time, Squarespace has not responded to the hijack or issued a public statement on the matter.
Security Experts Explain Loophole by Squarespace
A study conducted by researchers at Metamask and Paradigm speculates that the main reason for the hijacks could be that Squarespace assumed that all users would migrate from Google Domains and then select social login options such as “Continue with Google” or “Continue with Apple” instead of the “Continue with email” selection.
Metamask’s leading product manager, Taylor Monahan, emphasized that Squarespace did not consider the possibility that a threat actor could register an account with an email address connected to a recently-migrated domain before the real holder could access the account themselves.
“As a result, there’s nothing stopping them from attempting to log in with an email address,” Monahan told KrebsOnSecurity. “Since there’s no password set on the account, it simply redirects them to the ‘create password for your new account’ process. And because the account is partially initialized on the backend, they now have control over the domain in question.”
Moreover, Monahan disclosed that the registration of new accounts with emails did not require the emails to be verified either.
The transfers of domains from Google to Squarespace are public records, Monahan said.
“It’s either public or readily obtainable knowledge regarding which email addresses have administrative control over a domain. If the email address has never been used to pull out a Squarespace account, it’s possible that anyone who enters that email@domain combination in the Squarespace form now has full control over the domain.”
A breach is possible when attackers manage to get the email addresses of lower-privilege accounts that are currently active users of the domain, such as the “domain manager,” who, for example, is among the few people who can either transfer control of the domain or redirect it to another internet location.
Users have few options for monitoring account activity, Monahan added. “You basically have no control over the access different folks have. You don’t have any audit logs. You don’t get email notifications for some actions. The owner doesn’t get email notification for actions taken by a ‘domain manager.’ This is absolutely insane if you’re used to and expecting the controls Google provides.”
Recommendations for Squarespace Users
The researchers identified that some migrated Squarespace domains were also vulnerable to hijacking if attackers discovered email addresses for lower-privileged user accounts connected to the domain, such as “domain manager,” which also has the capability to transfer a domain or redirect it to a different internet address.
Monahan expressed concerns that the migration process has left domain owners with limited options to secure and monitor their accounts.
“One of the first steps to complete is to carry out a test to see which people can access your new account on Squarespace,” he advises. “The teams, in most cases, do not even know about the accounts’ existence.”
The researchers’ study includes a detailed guide on securing Squarespace user accounts, urging Squarespace users to enable multi-factor authentication, which was disabled during the migration process. The guide also mentions deleting the Squarespace user accounts that are no longer needed as well as removing reseller access in Google Workspace.
If it was Google Domains you took Google Workspace from, Squarespace might also be your authorized reseller,” the help document explains.
“That means anyone with your Squarespace account can also access your Google Workspace through the backdoor unless you explicitly disable it following the instructions provided here, which are highly recommended. It’s safer to protect one account rather than two.”