slider

Security Flaw in Squarespace Migration Leads to Multiple Domain Hijackings

Between July 9 and July 12, 2024, at least a dozen organizations using domain registrar Squarespace experienced domain hijackings. These incidents predominantly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. Attackers exploited a critical flaw in Squarespace’s migration process from Google Domains, allowing them to commandeer unclaimed accounts and redirect the hijacked domains to phishing sites designed to steal cryptocurrency funds.


Background and Migration Process

In June 2023, Squarespace acquired approximately 10 million domain names from Google Domains. The migration process, intended to be seamless, involved pre-linking emails associated with Google Domains accounts to new Squarespace accounts. Squarespace assumed users would utilize social login options like “Continue with Google” or “Continue with Apple.” However, the option to log in via email was available until recently, which became a significant security loophole.


Methodology of the Attack

The attackers identified and exploited this oversight by creating accounts using email addresses associated with recently migrated domains before the legitimate owners could register their accounts. This allowed the attackers to gain control without email verification. Once inside the account, they manipulated DNS records to redirect domain traffic and changed MX records to intercept emails.


Expert Analysis and Findings

Security experts from Metamask and Paradigm conducted an analysis, revealing that Squarespace did not account for the possibility of threat actors exploiting the email-based login option. Taylor Monahan, lead product manager at Metamask, explained that since there was no password on the account initially, attackers could complete the account setup and gain full access to the domains.

Monahan stated, “Nothing actually stops them from trying to log in with an email. Since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”


Immediate Response and Actions Taken

Sometime in the last 24 hours, Squarespace removed the ability for people to create an account with just an email address. However, this step came after the hijackings had already occurred, and the damage had been done. Squarespace has not yet issued an official statement or postmortem analysis of the incident.


Recommendations for Users

  1. Enable Multi-Factor Authentication (MFA): Log into your Squarespace account, create a new password, and enable MFA to enhance security.
  2. Audit and Remove Excess Contributor Accounts: Log in with the primary domain owner account and remove access to any contributors who no longer need it.
  3. Disable Reseller Access in Google Workspace: If your Google Workspace account was migrated, disable reseller access to prevent unauthorized changes.
  4. Review and Revert Unauthorized Changes: Check your DNS and Google Workspace settings for any unauthorized modifications and revert them as needed.
  5. Consider Transferring Domains: To mitigate future risks, consider transferring your domains to more secure registrars such as Cloudflare, Amazon Route53, or MarkMonitor.

Detailed Steps for Securing Your Account

Security experts have published a comprehensive guide for locking down Squarespace user accounts, emphasizing the importance of enabling multi-factor authentication, auditing user access, and securing Google Workspace integration. The guide provides step-by-step instructions for identifying which email accounts have access to your Squarespace account and removing unnecessary user accounts.

Step-by-Step Instructions:

  1. Enable MFA:
    • Log into your Squarespace account.
    • Navigate to the security settings.
    • Enable multi-factor authentication.
  2. Audit User Access:
    • Review the list of users with access to your domain.
    • Remove any users who no longer need access.
  3. Disable Reseller Access:
    • Access your Google Workspace admin panel.
    • Follow the instructions to disable reseller access provided by Squarespace.
  4. Revert Unauthorized Changes:
    • Check your DNS records to ensure they point to the correct servers.
    • Review MX records to ensure emails are routed correctly.
    • Revert any unauthorized changes.

Conclusion

The recent domain hijackings highlight the critical need for robust security measures during domain migrations. Organizations must remain vigilant and proactive in securing their digital assets. By following the recommendations and steps outlined above, Squarespace users can better protect their accounts and domains from unauthorized access and potential security threats.

For more detailed guidance, refer to the comprehensive security advisory published by Metamask and Paradigm, which includes additional steps and recommendations for securing Squarespace accounts.


Additional Resources

By taking these precautions and staying informed about potential vulnerabilities, organizations can mitigate the risks associated with domain migrations and protect their valuable digital assets from malicious actors.


How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.