July 14, 2024 — samczsun, tayvano, AndrewMohawk


<aside> ❗ On July 18th, Squarespace released a postmortem on their status page. The conclusions from that postmortem run contrary to what we observed while responding to this incident, and we are eager to reconcile our timeline with Squarespace.

</aside>

Summary

Over the course of several days, an unknown threat actor exploited a vulnerability in Squarespace to take over accounts which controlled domains that had been recently migrated as part of the Squarespace acquisition of Google Domains. Using this access, the threat actor was able to redirect users to phishing sites, intercept emails, and hijack control of Google Workspace (formerly GSuite) tenants to read email and add devices.

SEAL 911 first responders and SEAL security researchers worked tirelessly alongside affected companies to coordinate the incident response, assist in recovering access, and advise the broader cryptocurrency ecosystem on how to protect themselves.

Introduction

<aside> 💡 If you already understand the difference between registries and registrars and how DNS works, you can skip to What Went Wrong

</aside>

What is a Domain?

A domain is something like google.com, blog.ethereum.org, or registry.amazon. More specifically, a domain name is a series of words (technically, they’re called “labels”) joined by dots.

In a domain, the rightmost label is referred to as the top level domain (TLD). TLDs are important because although the Domain Name System (DNS) is managed by the Internet Corporation for Assigned Names and Numbers (ICANN), responsibility for each TLD is delegated to a specific entity, known as a Registry. This means that although ICANN is the ultimate arbiter of the DNS, in practice they typically defer to Registries.

What is a Registry?

Registries are the companies that maintain the authoritative records for one or more TLDs. For example, VeriSign operates large parts of the infrastructure for the internet, including the registries for .com, .net , .name, and .cc . Identity Digital operates registries for hundreds of gTLDs, including .finance, .fyi, and .rip.

Although registries operate the TLD, you typically cannot buy a domain from registries directly. Instead, you’ll need to work with a reseller that is partnered with the registry, known as a registrar.

What is a Registrar?

Registrars are companies that you know and love, such as Namecheap, GoDaddy, or Squarespace. When you buy a domain from a registrar, they coordinate with the registry in order to allocate and modify the domain on your behalf. There are three main settings that a registrar can edit: the domain contacts, the nameservers (NS), and the domain status.

Domain contacts is straightforward, this is the information you’re required to provide when purchasing a domain, such as your name, address, email, and phone number. There are four standard domain contacts: registrant, administrator, technical, and billing. They’re exactly as their names imply.

Nameservers are a crucial part of the DNS, which we’ll cover later.

Finally, when a registrar offers something like “transfer lock”, what they are actually doing is applying certain domain statuses to your domain. Typically, consumer registrars will offer Registrar Locking, which applies the clientTransferProhibited, clientUpdateProhibited, and clientDeleteProhibited statuses. Some specialty registrars such as MarkMonitor and CSC will also offer Registry Locking, which applies the server variants of those statuses.

What is the DNS?