[HN Gopher] Researchers: Weak Security Defaults Enabled Squaresp...
___________________________________________________________________
Researchers: Weak Security Defaults Enabled Squarespace Domains
Hijacks
Author : todsacerdoti
Score : 92 points
Date : 2024-07-15 15:25 UTC (7 hours ago)
(HTM) web link (krebsonsecurity.com)
(TXT) w3m dump (krebsonsecurity.com)
| hahahacorn wrote:
| I know we all make mistakes, and that I'm particularly fallible,
| but...
|
| Damn.
|
| I think I'm going to switch from fintech to cybersecurity.
| justin_oaks wrote:
| If you do, be sure you're on the side that is intentionally
| trying to find vulnerabilities, not the side trying to defend
| against them.
|
| The defense side sucks. You have to deal with security vendors
| that are eager to sell you snake oil. You have to actively
| fight against management that wants to save money. You have to
| fight against users who don't care about security.
|
| If everything goes smoothly and you have no security problems,
| the bosses wonder why they even pay you. If you have a security
| incident, the bosses wonder why they even pay you.
| mxuribe wrote:
| For much of the last decade, my career seems to be more and
| more partnered with cybersecurity teams...I like the kinds of
| people, and i like partnering with such teams. I work so
| closely with such teams, and many of my peers/colleagues -
| both on the cyber teams and others not on cyber teams - have
| suggested that i should pursue a career in
| cybersecurity...they often say that i have the head for
| it...that i have a natural knack for actually working in
| cybersecurity...but I've hesitated and i can't always
| succinctly verbalize why. Well, i think you stated it much
| better than i could; the defense side sucks for the reasons
| you stated!!! :-)
| WillPostForFood wrote:
| Clearly Squarespace is the guilty party here, but man, I am still
| upset Google shut down Domains, and can't help but direct some
| ire their abandonment of yet another product.
| iakov wrote:
| They did? I missed that. It hasn't lasted even ten years, has
| it?
|
| I remember reading the Domains announcement and thought to
| myself - "you have to be a fool to trust Google to host your
| domains long-term". Feels good to be right, but I feel bad for
| everyone who jumped on the bandwagon. I cant imagine trusting
| Google products to last those days.
| JohnMakin wrote:
| It was useful because it integrated super nicely into
| workspace account administration. Unfortunately all the
| issues have been painfully predictable and the rollout has
| been bad.
| dvzk wrote:
| The entire consumer registrar industry is untrustworthy. I
| can't think of a worse category of online services, ranked by
| security and sleazebaggery, with the possible exception of
| the VPN market.
| binkHN wrote:
| I'm in your same boat. I had a bunch of domains with Google
| because of the brand recognition, but this acquisition annoys
| me immensely and clearly it's off to a great start!
| meiraleal wrote:
| People that registered those domains and got hacked bought them
| from Google, so trusting google was the security issue.
| jddj wrote:
| Ugh.
|
| Any recommendations for a quality domain registrar? Might as well
| get started with the migration
| dewey wrote:
| I've been with Namecheap forever. It's not super pretty UX wise
| but it works and boring is what I'm looking for in a domain
| registrar.
| ioblomov wrote:
| Enom sounds similar. Been using it, with short default TTLs,
| for years.
| mfkp wrote:
| I've been transferring my portfolio from namecheap over to
| porkbun. Much better customer service, better prices.
|
| https://porkbun.com
| demondemidi wrote:
| How do you know that won't be sold to some other dumb org?
| mfkp wrote:
| Because selling domains is their core business. Not a
| google project that will be cancelled in a few years.
| jvan wrote:
| Please tell me what guarantee you would accept from any
| company that they won't eventually sell off a line of
| business or otherwise be acquired.
| gchamonlive wrote:
| I'd recommend cloudflare for transparency.
| djbusby wrote:
| One thing that sucks when moving registrar is that some
| (Namecheap, Porkbun, Enom/Tucows) doesn't let you set DNS
| entries before migration. Move reg, updated NS and then add
| entries.
|
| So, my process now is to put DNS service OUTSIDE the registrar
| - so that switching one doesn't have to impact the others.
|
| Why these providers don't let me create the NS Zone before
| transfer confounds me.
| jsheard wrote:
| Porkbun definitely lets you do that, they allow you to add an
| "external" domain which runs on their DNS (actually
| Cloudflare) but isn't registered through them, then you can
| seamlessly transfer the domain in to Porkbun later.
|
| IIRC Spaceship (Namecheaps soft-relaunch) lets you set up
| your DNS records as soon as you initiate a transfer to them,
| before it completes, so the records are ready as soon as the
| nameservers switch over. Not sure about the original
| Namecheap, I haven't used them for a while.
| fourseventy wrote:
| Cloudflare
| bogwog wrote:
| I tried cloudflare but am worried they're going to start
| restricting features or something because of how aggressively
| they try to upsell shit I don't need.
|
| They say they sell domains at cost, which is a red flag since
| it means people who only use them as a register are going to
| be the first to go when they start loading up the
| enshittification bandwagon.
|
| I don't care about the price of domains. They're relatively
| cheap even with the mark up from your typical registrar. What
| I care about is peace of mind that I won't lose my domain due
| to an incompetent registrar, or will have to scramble to
| transfer everything again because of reasons outside of my
| control. Cloudflare doesn't offer that.
|
| I've now decided to move to Namecheap. Idk how solid they
| are, but they seem to have been selling domains for a very
| long time.
| dboreham wrote:
| In my experience Cloudflare is not appropriate unless you
| plan to only host CF services on the Zone. E.g. no
| delegation allowed.
| dboreham wrote:
| Porkbun here, and some AWS (which is a reseller of someone else
| iirc). Also we have a bunch of older domains at OpenSRS but
| tend not to use them for new work.
| diggan wrote:
| > Taylor Monahan, lead product manager at Metamask, said
| Squarespace never accounted for the possibility that a threat
| actor might sign up for an account using an email associated with
| a recently-migrated domain before the legitimate email holder
| created the account themselves.
|
| > "Thus nothing actually stops them from trying to login with an
| email," Monahan told KrebsOnSecurity. "And since there's no
| password on the account, it just shoots them to the 'create
| password for your new account' flow. And since the account is
| half-initialized on the backend, they now have access to the
| domain in question."
|
| This sounds like gross security negligence, and should probably
| be considered a crime when you're at the size of Squarespace with
| (assuming) a dedicated security team. Hopefully
| executives/management can be held responsible for whatever damage
| was done because of this.
| refulgentis wrote:
| Squarespace is directly responsible, my irrational instinct is
| to blame Google even more, in that their role involved active
| abdication of responsibility for purely self-interested reasons
| and involved more employees than just their security
| engineering team.
|
| Domains are critical infrastructure, wasn't any reason to sell
| them other than Wall Street puffery. Obvious downside was
| leaving business customers who got them via Cloud exposed. Per
| my uninformed intuition at the time, there wasn't a secure way
| to do this sort of switchover without a lot of manual reaching
| out neither of them were going to do.
|
| Additionally, Google went out of their way to sweeten the deal
| by A) making Squarespace the reseller for any associated Google
| Workspace records which B) greatly widened the vulnerability
| surface. [1]
|
| This sounded uninformed to me, until it happened, so [2] quotes
| the retrospective at length to show there was no secure and
| automated choice.
|
| both via Security Alliance's "A Squarespace Retrospective":
| https://securityalliance.notion.site/A-Squarespace-Retrospec...
|
| [1] "Furthermore, as Squarespace is an authorized Google
| Workspace reseller, any teams who had purchased Google
| Workspace through Google Domains had their license transferred
| to Squarespace. This allows the threat actor to create new
| administrators in Google Workspace via the hijacked Squarespace
| account."
|
| [2] "However, what happens for [domain owner] emails which are
| not already registered to an [Squarespace] account? Well, you
| could preemptively create a new account for that email and send
| them a temporary password, but sending passwords in plain text
| is not a good practice, it would be pretty complicated to
| create millions of users with temporary passwords, and most
| people migrating probably want to use their Google account to
| sign in, not a password. Maybe your systems don't even support
| creating temporary users like this."
| godzillabrennus wrote:
| This entire transition has made me HATE Google.
| IntToDouble wrote:
| Direct link to the retrospective:
|
| https://securityalliance.notion.site/A-Squarespace-Retrospec...
| diggan wrote:
| Direct link to an _unofficial and 3rd party_ retrospective, it
| would seem.
|
| > As Squarespace has yet to release an official statement or
| postmortem, the following is our strongest theory on how the
| threat actor was able to gain initial access to Squarespace
| accounts. It is the most likely explanation given the
| information we collected from numerous affected companies and
| experiments we ran ourselves.
| kentonv wrote:
| So many products make email verification optional in order to
| improve their funnel. But it's a huge security risk, because it
| leads to bugs like this. Very few engineers and PMs will actually
| stop to think: "Wait, what if the user's email address isn't
| verified?"
|
| I kind of wish we could just pass a law that says you have to
| validate email addresses before attaching them to accounts at
| all. Because otherwise, competitive pressure will keep pushing
| people towards not doing it and aiming this gun at their foot in
| the name of conversions.
|
| In the absence of a law: If your service insists on allowing
| unverified email addresses, you should store them in a completely
| different place in your database from verified ones. Maybe even
| obfuscate them with some encoding. Do whatever you can to make it
| really hard for anyone to accidentally rely on an unverified
| address. Ideally make it impossible for anyone except the team in
| charge of authentication to even see an unverified address.
|
| On another note, holy shit. So many people (myself included)
| chose Google Domains specifically because they thought it would
| be secure and trustworthy, because it's Google. Won't make that
| mistake again.
| justin_oaks wrote:
| At a previous job I complained to company leadership that we
| shouldn't trust email addresses without verification.
|
| I think the company eventually required verification, not
| because their trusted employee told them, but because a
| security review of the product pointed out the lack of email
| verification.
| AndrewMohawk wrote:
| I think this is genuinely a good takeaway, its so easy for
| these two sides to assume something about the other (ie we have
| validated) that you can see how it can happen.
| Jerrrry wrote:
| >kind of wish we could just pass a law that says you have to
| validate email addresses before attaching them to accounts at
| all.
|
| We did, the government can only collect the data it needs to
| complete it's stated objective. fedramp compliance. This exact
| exploit has happened at nearly every Fortune500 company.
| > otherwise, competitive pressure will keep pushing people
| towards not doing it and aiming this gun at their foot in the
| name of conversions
|
| Market forces, people should be pressured to use more secured
| services.
| zacmps wrote:
| One of the (many) problems with the market is that consumers
| have imperfect information. In this case specifically it's
| almost never possible to have an accurate picture of a
| company's security in advance of a mistake like this one.
| warkdarrior wrote:
| > Market forces, people should be pressured to use more
| secured services.
|
| There is no such pressure in the market right now. Look at
| the email-provider market, where secure offering like Proton
| Mail are nowhere close to less secure ones like Gmail,
| Outlook/Live.com, etc. Why don't people just flock to Proton
| Mail?
| rstupek wrote:
| What makes Proton Mail more secure than Gmail et. al.?
| meiraleal wrote:
| Wow that's a terrible way Google managed customers security,
| selling them to an incompetent buyer. So many red flags pushing
| me to stop using anything Google.
| wintermutestwin wrote:
| When I evaluated squarespace for a couple nonprofits I work with,
| they lost out to Wix because squarespace lacked a backup
| solution. I was stunned by that, but certainly not that such a
| cluefree team would cut security corners.
|
| How is it possible that this team blew off backup functionality
| for a product that is targeted at low skill end users? Maybe they
| ran out of money paying designers for yet another template that
| utilizes a full screen image on the landing page?
| cynicalsecurity wrote:
| Squarespace spends a lot on marketing. They probably ran out of
| money on engineers.
| SoftTalker wrote:
| Squarespace is targeted at technically illiterate small
| organizations. They make their workflows as simple as possible
| for that user base. I helped a local small nonprofit with their
| Squarespace site around 10 years ago, I know that's been long
| enough that it might not represent how things are today, but
| doing anything that wasn't implemented by their site builder
| tool was basically impossible.
| tomrod wrote:
| So glad I migrated everything off of Squarespace. Just an awful
| experience. Slick website. Slow as mud movement for everything
| else. AND--the owner can't modify MX records, you have to create
| and grant admin rights as the owner to an entirely separate
| account.
|
| Schnikey.
| 23B1 wrote:
| This move of google domains over to squarespace is the dumbest
| deal I have ever experienced and it makes me hate both companies
| even more.
| christophilus wrote:
| Is there a reason that there isn't a Let's Encrypt-like disruptor
| for registrars? It seems like it's such a cesspool.
| Thorrez wrote:
| When a CA issues a cert, the cost to the CA is essentially
| nothing.
|
| When a registrar registers a domain, that costs the registrar
| money because the registrar has to pay a fee to the registry.
| So a registrar generally cannot give out domains for free.
|
| Now, a registry could in decide to charge no fee. That's what
| .tk used to do. So you could get a .tk domain for free. Of
| course then .tk domains got the reputation of being cheap junk
| and spam.
| dboreham wrote:
| For the impatient, what they did was: put a zillion DNS
| registration accounts into a limbo state where anyone who knew,
| or could guess the email address associated with an account,
| could supply that, and a password of their choice, to gain
| authentication credentials valid for the account because they
| stored the supplied password without any verification that it
| came from the owner of the associated email address.
___________________________________________________________________
(page generated 2024-07-15 23:00 UTC)