A hiccup in the handover of former Google Domains has led to a rash of site takeovers, according to researchers with cybersecurity collective SEAL911 who responded to the matter. The news was first reported by security industry mainstay Brian Krebs.
“Over the course of several days, an unknown threat actor exploited a vulnerability in Squarespace to take over accounts which controlled domains that had been recently migrated as part of the Squarespace acquisition of Google Domains,” wrote the trio of researchers samczsun, tayvano, and AndrewMohawk.
“Using this access, the threat actor was able to redirect users to phishing sites, intercept emails, and hijack control of Google Workspace (formerly GSuite) tenants to read email and add devices.”
According to the researchers, the attacks stem from the 2023 handover of Google Domains to Squarespace as part of the search giant’s exit from the hosting game.
When Squarespace took over the accounts of Google Domains customers, they were faced with the task of migrating administrator accounts to its own service, which often meant associating Google accounts with a new Squarespace administrator account.
The researchers believe that in doing so, Squarespace failed to properly ensure that the accounts were genuine and not newly created accounts associated with the service.
“Unfortunately, many domain contributors never created their Squarespace accounts either because they forgot that they were granted contributor access or they didn’t expect inaction to have security implications, making it quite easy for a threat actor to beat them to the punch and gain full access to their account," the researchers explained.
The result was the takeover of at least a dozen cryptocurrency websites that were then pointed to fraud portals designed to hijack cryptocurrency investor accounts.
While the issue has since been reported to Squarespace, the researchers said that administrators should keep a close eye on their sites and carefully manage permissions for all associated accounts.
“If you bought Google Workspace via Google Domains, Squarespace is now your authorized reseller,” they noted.
“This means that anyone with access to your Squarespace account also has a backdoor into your Google Workspace unless you explicitly disable it by following the instructions here, which you should do.”
