Squarespace Weak Security Aided In Domain Hijacks – 10 Millions Domains Affected

If you had a domain with Google Domains, it’s likely that this has now moved to Squarespace. Over the last month or so, it’s come to light that an issue with Squarespace weak security aided in domain hijacks.

Before I continue, you can also read this on Medium.com!

---

---

You might not have known, but when Google had the amazing idea to close down Google Domains, Squarespace actually bought all their assets.

In short: if you had a domain with Google Domains, this is now with Squarespace.

It comes in line with so many other services that Google has shut down for seemingly no reason.

The transfer of user data and domains isn’t completely out of the ordinary. What was different this time however, was that there seemed to be next to no security for accounts that hadn’t been initialised on Squarespace yet.

And with roughly 10 million domains transferred, the odds are definitely stacked that some percentage of these customers would forget to login to Squarespace and complete the setup process.

The domain hijacks took place between the 9th and 12th of July, and mainly affected larger cryptocurrency and financial businesses. These included Celer Network and Compound Finance to name a few.

It appears that the root of the problem was Squarespace assuming that all these accounts would be setup with a Google or Apple account and not a basic email and password combination.

That assumption really came back to bite them!

You see, if Google or Apple authenticate was used then there would have been more security inherently in place. More notifications about the login. More 3rd part checks and multi-factor authentication.

But with the email and password combo, it seems anyone that entered the email of one of these affected account could start the initial signup process and gain access to the domain.

As a cherry on top, Squarespace also didn’t require email verification for new accounts created with a password.

With all 10 million migration domains being either public info or easy to discern, it didn’t take long for malicious actors to start gaining access to domains and routed traffic to less than desirable locations.

What a mess!

No logging, no verification, no checks, no email notifications, no multi-factor authentication and all the affected accounts are public. A perfect storm…

A report was posted on the 23rd of July which strangely blames the domain hijacking on apparent weaknesses in 3rd part OAuth logins.

The report is quite long, so here’s the most important bits:

“During this incident, all compromised accounts were using third-party OAuth. Neither Squarespace nor any third-party authentication provider made any changes to authentication as part of our migration of Google Domains to Squarespace. To be clear, the migration of domains involved no changes to multi-factor authentication before, during or after.”

“To date there is no evidence that Google Workspace accounts were or are at risk, and we have received no customer reports to this effect. As a reseller, Squarespace manages billing but customers access Workspace directly using their Google account.”

“Our analysis shows no evidence that Squarespace accounts using an email-based login with an unverified email address were involved with this attack.”

Conclusion

Either way – if this was an issue with Squarespace or with 3rd part OAuth providers, this is a massive mess up for the migration. It’s certainly something they will take into account moving forward, I can guarantee that!

It’s not surprising either how this news has gone relatively unnoticed, what with Crowdstrike bricking millions of systems around the world!

Well, I hope you learned something from this post. And if your domain was migrated from Google Domains to Squarespace, PLEASE follow the official recommendations and get your Squarespace account setup ASAP.

Enjoy! 🎉