Mastodawn

Tay Jul 15, 2024

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

From the story:

"...an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

“Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks – Krebs on Security

BrianKrebs Jul 15, 2024

Also from the story, a serious warning to people who previously purchased Google Workspace accounts via Google Domains (which are now Squarespace):

"If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller," the help document explains. "This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do. It’s easier to secure one account than two."

Sam Jul 15, 2024

@briankrebs 🤦

J. Trent Adams Jul 15, 2024

@briankrebs defending against threat surfaces opened up by mergers and acquisitions is an incredibly hard problem. Thanks for the prompting as its definitely something we need to bake into protocol development like the Domain Relationship Policy Framework being developed. Good reminder.

#drpf #standards #security #considerations

@briankrebs I hope affected users will #ClassAction #SquareSpace into reimbursing all the costs associated with the fuckup!

yawnbox Jul 15, 2024

this must be made worse by the absolute shit communication from these companies about when exactly any one domain will be moved. i got a random (time) email notification AFTER it's been migrated, freaking me out about major DNS changes (that isn't an issue because they leave Google as the DNS provder...). the only "notice" i got was over a year ago

Cezar Lungu Jul 15, 2024

@briankrebs thinking outside the box be like. 😄

Jargoggles Jul 15, 2024

@briankrebs
One of the only things you can count on when it comes to tech giants is that they will be grossly irresponsible with your access and your data.

Karl Auerbach Jul 15, 2024

@briankrebs Is Squarespace still IPv4 only (no IPv6)? Not that that is relevant to the issue you raise, but it is indicative of a company with low technical aspirations.

Jayotis Jul 15, 2024

@briankrebs great info, thanks! I thought it was a minor thing for me since I'm using cloudflare so I was putting this off

Coffeetest Jul 15, 2024

@briankrebs > Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice.

Will all the scrutiny any form element on a publicly facing page would have, how is this even possible? Don't, you know, plan for your forms to be misused?

nuclear powered ash Jul 15, 2024

@briankrebs how as a dev do you implement something like that and not have alarm bells surely they had ppl on the inside telling them about this

Pronounced badeɪlɪn Jul 15, 2024

@briankrebs "Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google” or “Continue with Apple” — as opposed to the “Continue with email” choice."

neocat_googly_woozy

James Kerr Jul 15, 2024

@briankrebs Just wow. People not thinking.

PetterOfCats Jul 16, 2024

@briankrebs this is why I left Google domains day one I got the email about the upcoming transfer.

BogDrakonov Jul 16, 2024

@briankrebs So glad I moved off the second that announcement occurred.

Raven667 Jul 16, 2024

@briankrebs
> Squarespace assumed all users migrating from Google Domains would select the social login options — such “Continue with Google"

Yep, that sounds like humans to me, this was technically run by very few people who knew the details of the SSO integration and account migration process, and they thought "of course they will use the SSO option, wouldn't make sense to do anything else" and then went back to their mountain of tasks without giving it another thought.

Raven667 Jul 16, 2024

@briankrebs If someone did think, "Hey, I should check the email-based registration flow" either they never got time to do it or it "worked" so they checked it off and moved on without thinking about the security implications if someone who is not the account owner started the workflow.

Bumble Jul 16, 2024

@briankrebs

First thing I did when Squarespace got involved, was move all my domains away from Google. So glad I did.