Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

Weak Security Defaults Enabled Squarespace Domains Hijacks (krebsonsecurity.com) 11

At least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Krebs on Security: Squarespace bought all assets of Google Domains a year ago, but many customers still haven't set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn't yet been registered, merely by supplying an email address tied to an existing domain. The Squarespace domain hijacks, which took place between July 9 and July 12, appear to have mostly targeted cryptocurrency businesses, including Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains. In some cases, the attackers were able to redirect the hijacked domains to phishing sites set up to steal visitors' cryptocurrency funds.

New York City-based Squarespace purchased roughly 10 million domain names from Google Domains in June 2023, and it has been gradually migrating those domains to its service ever since. Squarespace has not responded to a request for comment, nor has it issued a statement about the attacks. But an analysis released by security experts at Metamask and Paradigm finds the most likely explanation for what happened is that Squarespace assumed all users migrating from Google Domains would select the social login options -- such "Continue with Google" or "Continue with Apple" -- as opposed to the "Continue with email" choice.

This discussion has been archived. No new comments can be posted.

Weak Security Defaults Enabled Squarespace Domains Hijacks

Comments Filter:
  • I guess Squarespace is spending too much money paying for sponsorship space in YouTube videos across the platform to even consider blowing a dollar or two on security.

    Sales generate income, security generates costs?

    • by ceoyoyo ( 59147 )

      Security isn't their only problem. Some of their critical features don't work and their ticket response is "well, we have to test a lot of things before we chanage anything so we can't say when we might fix this." Then they send you a survey about how their service is.

      They're going to lose pretty much all those domains one way or another. The only question is whether they paid $180 million for the customers or the customers' information.

    • Sales generate income, security generates costs?

      Exactly, Security is a cost center. They consume dollars, they don't generate any.

      At best you send them paychecks and never hear from them (because everything is working properly) and that's why the bean counters hate them. They see all this money going out the door "for nothing" and decide they can cut back.

      Lather, rinse, repeat, until your Security team is down to a couple of underpaid Windows support techs who almost know how to install Norton.

      • Security is a cost but it is a cost that is extremely difficult to measure. The top accountant in your company is paid very well because companies can easily see the difference in value that accountants can bring in terms of cost savings and tax optimization. Your best programmer might be worth more than the accountant but management doesn't know that. When there is uncertainty less will be spent. Security is almost binary. Most of the time you haven't been compromised so you think what you are spendin
        • Yes, that's basically what I said.

          Security is a cost center and accountants hate cost centers, no matter how valuable or critical they are.

  • I find it interesting that at least some of the hijacked sites belonged to crypto companies. You would think that they would be both concerned about security and reasonably savvy about such things. The real world never ceases to amaze me.
    • by tlhIngan ( 30335 )

      I find it interesting that at least some of the hijacked sites belonged to crypto companies. You would think that they would be both concerned about security and reasonably savvy about such things. The real world never ceases to amaze me.

      Why? Most of them were probably set up to cash in on the hype and to separate fools from their money. Security isn't needed for corporate greed cashing in on the latest fad.

      Heck, even when BitCoin was still something relatively unknown, Mt. Gox didn't exactly have anything

    • by nyet ( 19118 )

      They? The exploit is absolutely a flaw introduced by squarespace and google together. Idiotic blame the victim mentality there, Chemist.

      https://securityalliance.notio... [notion.site]

    • You would think that they would be both concerned about security and reasonably savvy about such things.

      Lol, why would you think that when almost everything associated with crypto has shown the exact opposite to be true?

Statistics are no substitute for judgement. -- Henry Clay

Working...