Squarespace Domain Hijacks Enabled by Email Address Exploit on Migrated Accounts

In June 2023, Google entered an agreement to sell all of its Google Domains accounts to Squarespace, in a somewhat bewildering deal, reportedly worth $180 million, that came as a surprise to the tech industry. Squarespace acquired the accounts for approximately 10 million domains, giving the company the opportunity to cross-sell website packages to its incoming domain customers.

In an interview with The Verge, Squarespace CEO Anthony Casalena said his company was already using a lot of the same infrastructure Google is using in their Cloud DNS product, having resold Google Workspace for almost a decade. Being a reseller of Google Workspace was a major factor in Google’s decision to offer the domains to Squarespace, in addition to having the infrastructure to manage the business migrating over.

Over the past week, since July 9, more than a dozen domains using Squarespace as a registrar were hijacked, including notable cryptocurrency companies Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. These breaches forced the companies to advise users not to visit the website or click any links during the compromise.

Most assumed it was due to the fact that the account owners’ MFA details were not migrated over and needed to be re-enabled following the transfer.

Google Workspace Accounts Also Vulnerable to Compromise Through Squarespace#

In an ironic twist on the story behind Squarespace’s acquisition of Google Domains, security researchers who have been working to help teams recover and secure their accounts, discovered that supplying an email address tied to an existing domain was all that an attacker needed in order to gain access. This access not only includes the Squarespace account but also extends to the Google Workspace account for any teams that had their licenses transferred over to Squarespace.

In a post-mortem published today, security researchers at MetaMask and Paradigm detailed the industry-wide incident response required to mitigate these exploits.

“Contrary to early reports, the attacks were not caused by user negligence, such as reusing weak passwords or not enabling MFA,” the researchers said. They identified a loophole, which was put in place to facilitate the migration, wherein a domain owner and any collaborators were given “domain manager with billing access” permission on Squarespace, and the last person responsible for payment on the domain would be granted the “domain owner” permission.

They suspect Squarespace simply marked these emails as authorized on the domain even if they didn’t yet exist on the migrated accounts. Combine the ability to login with just an email address, with the fact that Squarespace doesn’t require email verification for new accounts created with a password, and you have a straightforward way to compromise accounts:

Based on all the data we have, we think the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would use the “Continue with Google” login method, which would also implicitly verify ownership of the email.

Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

This also enabled threat actors to do things like transfer the domain to another Squarespace account or third party register, change the name servers, edit DNS records, send emails as the domain, add domain managers, create a new Google workspace for the domain, and even hijack the Workspace attached the the domain. This would also enable access to emails and other Google services, as well as the ability to log into third-party sites via Google OAuth 2.0.

Squarespace did not have email notifications for critical actions and changes for domains, making many of the recent hijacks undetectable until it was too late. Since the domains were auto-transferring after a certain date, many domain contributors have forgotten about their accounts being migrated and did not respond in a timely way. Some may not even have access if those responsible have moved on to another company.

This is a situation where customers with domains that were being transferred are now in a situation outside of their control if they didn’t act earlier to select another domain registrar when the news broke about Squarespace acquiring Google Domains. There were even victims among those who had impeccable security protocols in place.

What Squarespace Customers Can Do to Secure Their Domains#

Although Squarespace has made changes to patch these vulnerabilities, it’s clear their security infrastructure was not commensurate with the level of protection most large enterprises expect for their domains. The researchers’ post-mortem commented on how “short-sighted the Google Domain acquisition” seemed and advised users to move to another registrar when possible:

Taking on the myriad of large enterprises, long-time Google customers, those with high-value assets, and organizations frequently targeted by nation-state level threat actors seems…insane.

As it stands, Squarespace is simply not a viable option for anyone in the cryptocurrency industry, or any organization that requires deeper insight and control over their domains.

The researchers outlined a number of engineering lessons gleaned from the holes in Squarespace’s security and encouraged companies to empower engineering and security teams to impact business decisions in order to avoid these scenarios.

Current Squarespace customers can better secure their accounts by ensuring they have 2FA enabled with a new, unique password and removing any additional contributors who do not have 2FA enabled. Domains are a hotbed for abuse because of the level of access they unlock for anyone who gains control over them, allowing attackers to redirect traffic, intercept emails, and potentially access sensitive information stored on associated websites. By securing domains with strong authentication measures, domain owners can significantly reduce the risk of unauthorized access and potential exploitation.