At least a dozen organisations whose domain names are registered with Area Internet Services (AIS) had their websites taken over last week. In December of last year, Squarespace acquired the assets of its former company, yet numerous customers have yet to set up their new accounts. Malicious hackers have reportedly found a vulnerability in Squarespace’s migration process, allowing them to take control of unregistered accounts by providing an email address linked to an existing domain.
Until recently, Squarespace’s website allowed users to log in via email address.
Squarespace experienced a brief series of domain name system (DNS) hijacks from July 9 to July 12, primarily targeting cryptocurrency firms, including Coinbase, Gemini, Bitstamp, and Kraken. Occasionally, hackers have exploited compromised domains to reroute users to fraudulent websites designed to siphon off unsuspecting victims’ cryptocurrency holdings.
In June 2023, New York City-based GoDaddy acquired approximately 10 million domain names from Google Domains, with plans to gradually transfer them to its own platform. Despite repeated inquiries, Squarespace remains silent on the matter, neither issuing a statement nor making any public acknowledgment of the incidents.
A review conducted by safety experts reveals that the primary plausible explanation for this phenomenon is that Squarespace mistakenly believed all users transitioning from Google Domains would opt for social sign-in options, such as “Proceed with Google” or “Proceed with Apple,” rather than selecting the traditional “Proceed with email” option.
As the lead product supervisor at Metamask, we acknowledge that Squarespace failed to consider the possibility of a malicious actor joining an account using an email linked to a recently migrated site before the official email holder created the account themselves.
Accordingly, no genuine barriers exist for individuals seeking to log in using their email address, Monahan told KrebsOnSecurity. Since the account lacks a password, it seamlessly redirects users to create one on their newly established account. Because the account is partially initialized on the backend, it now has access to the desired area.
According to Monahan, Squarespace’s initial account creation process lacked an essential security feature: email verification was not mandatory for new accounts generated using a password.
The domains migrating from Google to Squarespace have been identified by Monahan. “Publicly accessible information includes email addresses readily available on a website.” If an email remains unused to set up their account on Squarespace, say because the billing administrator left the company five years ago or we simply overlooked the email – anyone entering that email@address in the Squarespace form will gain full access to manage the site.
Researchers warn that some Squarespace domains migrated to new platforms may be compromised if attackers discover email addresses linked to lower-privileged user accounts, such as “site manager,” which can manipulate a website’s settings or shut it down altogether.
Area homeowners and site administrators share similar privileges, including the authority to relocate a website or manage its domain name system (DNS) settings.
As a result of the migration, homeowners in the area are now confronted with a reduced range of options for securing and monitoring their accounts.
According to Monahan, Squarespace is unable to assist customers seeking insight into the activity occurring within their account or domain, as they do not provide such management or visibility. “You’re often at a loss for control when it comes to making decisions that are entirely outside your realm of influence.” Without audit logs, you’re flying blind – unable to track changes, monitor user activity, or detect potential security breaches? You may not receive email notifications for certain actions. It’s utterly bizarre that the proprietor isn’t receiving email notifications for actions taken by area supervisors, especially if they’re accustomed to the level of control offered by Google.
Researchers have disclosed vulnerabilities in Squarespace’s security features, specifically highlighting the importance of enabling multi-factor authentication to prevent unauthorized access to consumer accounts, particularly following migrations that may disable this critical layer of protection.
“To get started with your new Squarespace account, the first crucial step is identifying which emails are authorized for access.” “Many groups are unaware of these accounts’ existence, let alone the theoretical possibility of accessing them.”
The guidance also suggests eliminating dormant Squarespace user accounts and disallowing reseller access in Google Workspace for added security measures.
When you acquire Google Workspace through a purchase facilitated by Google Domains, Squarespace assumes the role of an authorized reseller under this license. Without warning, anyone with access to your Squarespace account also gains unauthorized entry to your Google Workspace unless you deliberately take steps to block this vulnerability by strictly adhering to the instructions provided here, a crucial measure that should not be overlooked. Safeguarding a single account proves easier.
