Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

So many products make email verification optional in order to improve their funnel. But it's a huge security risk, because it leads to bugs like this. Very few engineers and PMs will actually stop to think: "Wait, what if the user's email address isn't verified?"

I kind of wish we could just pass a law that says you have to validate email addresses before attaching them to accounts at all. Because otherwise, competitive pressure will keep pushing people towards not doing it and aiming this gun at their foot in the name of conversions.

In the absence of a law: If your service insists on allowing unverified email addresses, you should store them in a completely different place in your database from verified ones. Maybe even obfuscate them with some encoding. Do whatever you can to make it really hard for anyone to accidentally rely on an unverified address. Ideally make it impossible for anyone except the team in charge of authentication to even see an unverified address.

On another note, holy shit. So many people (myself included) chose Google Domains specifically because they thought it would be secure and trustworthy, because it's Google. Won't make that mistake again.

> Taylor Monahan, lead product manager at Metamask, said Squarespace never accounted for the possibility that a threat actor might sign up for an account using an email associated with a recently-migrated domain before the legitimate email holder created the account themselves.

> “Thus nothing actually stops them from trying to login with an email,” Monahan told KrebsOnSecurity. “And since there’s no password on the account, it just shoots them to the ‘create password for your new account’ flow. And since the account is half-initialized on the backend, they now have access to the domain in question.”

This sounds like gross security negligence, and should probably be considered a crime when you're at the size of Squarespace with (assuming) a dedicated security team. Hopefully executives/management can be held responsible for whatever damage was done because of this.

Wow that's a terrible way Google managed customers security, selling them to an incompetent buyer. So many red flags pushing me to stop using anything Google.

Google sold Google Domains to the worst possible buyer! Right after a bunch of my domains, one by one got transferred to those amateurs, creating a random subdomain for each domain, I started to receive notifications about somebody trying to reset my password!

This move of google domains over to squarespace is the dumbest deal I have ever experienced and it makes me hate both companies even more.

When I evaluated squarespace for a couple nonprofits I work with, they lost out to Wix because squarespace lacked a backup solution. I was stunned by that, but certainly not that such a cluefree team would cut security corners.

How is it possible that this team blew off backup functionality for a product that is targeted at low skill end users? Maybe they ran out of money paying designers for yet another template that utilizes a full screen image on the landing page?

Direct link to the retrospective:

https://securityalliance.notion.site/A-Squarespace-Retrospec...

Ugh.

Any recommendations for a quality domain registrar? Might as well get started with the migration

The problem with Squarespace remaining silent with this is that there’s a deafening lack of authoritative information about whether this issue has been patched. The researchers and Krebs are stopping short of making definitive statements because obviously only Squarespace can do that, and they aren’t.

I have emailed some former clients I knew to use Google Domains just as a heads up, with steps from the article.

It would be nice if Squarespace showed a modicum of ownership for their failings here.

Is there a reason that there isn’t a Let’s Encrypt-like disruptor for registrars? It seems like it’s such a cesspool.

welp that was fast

I know we all make mistakes, and that I'm particularly fallible, but...

Damn.

I think I'm going to switch from fintech to cybersecurity.

Clearly Squarespace is the guilty party here, but man, I am still upset Google shut down Domains, and can't help but direct some ire their abandonment of yet another product.

For the impatient, what they did was: put a zillion DNS registration accounts into a limbo state where anyone who knew, or could guess the email address associated with an account, could supply that, and a password of their choice, to gain authentication credentials valid for the account because they stored the supplied password without any verification that it came from the owner of the associated email address.

So glad I migrated everything off of Squarespace. Just an awful experience. Slick website. Slow as mud movement for everything else. AND--the owner can't modify MX records, you have to create and grant admin rights as the owner to an entirely separate account.

Schnikey.