Security Warning: Squarespace Transfer from Google Domains

By Wavefront_Security_Dave @ 2024-06-10T09:26 (+4)

Why you should care:

Domains owned by Squarespace can make new superadmins in your Workspace/Drive/Email and own all of your things. This is not great for your security, because you want only one Admin account that you control.

Summary: 

Take 5 minutes and do the top quick fix in the next section. Squarespace can modify users into full admins if your Google Workspace Admin hasn’t reclaimed control away from the reseller which is Squarespace in this scenario. This means that there are two accounts who can fully control your Google domain: 1) Your root user / superadmin and any they delegate 2) your Squarespace account owner. There are short term fixes as well as full risk mitigation steps below. I'll be running some checks and emailing possibly affected orgs.

Quick fixes

• Retake control from Google Admin: Account > Account Settings > Account Management > Reseller Access > OFF is sufficient to remove control from Squarespace, and Squarespace does not appear to be able to take control back
  
  • I'd also recommend checking whether you've had an issue with the tutorial below!
• “Canceling” your subscription is how you transfer to Google Workspace’s full control of Google Workspace Users and Data, but Domain Admins in Squarespace can still be assigned silently and they can access DNS.  https://support.squarespace.com/hc/en-us/articles/206542007-Canceling-your-Google-Workspace-subscription

Full Fix

• Step 1: Retake Control of your Google Account via Canceling: https://support.squarespace.com/hc/en-us/articles/206542007-Canceling-your-Google-Workspace-subscription
• Step 2: Transfer Domain: https://support.squarespace.com/hc/en-us/articles/205812338-Transferring-a-domain-away-from-Squarespace 

How to tell if someone has used your Squarespace to make an admin:

First, go to the Investigation Tool for Admin Log Events: Reporting > Audit and Investigation > Admin Log Events

Run a search - Use the Condition Builder, set the search to Event, then look for “Admin Privileges Grant” (you can select it from a dropdown as well) and hit Search:

If you have any unexpected notifications after your search, please feel free to DM me and I can walk you through some next steps.

If you don't care about technical aspects of any of this, please feel free to stop reading here!

(For Technical Users) Here’s what I tested

The main points are highlighted in bold

• Users can be elevated to Google Workspace Admin by the Squarespace Owner if you haven’t at least transferred control of the account away from Squarespace.
  • There is no email or notification sent if a user is elevated to Admin via Squarespace. 
  • The user becomes a full superadmin immediately with no multi-party auth allowed
  • (Squarespace recommends that the google workspace admin be separate from the Squarespace admin, because then there’s a single point of failure for GW billing issues to affect your ability to access the Squarespace site)
  • I can’t determine a singular event to search for in Admin logs to see if someone has made an existing user an admin.
    • Looks like domain admin users are ~always modified by the entity wksp-svc-resell-prod-001@reseller.squarespaceapps.com
    • I had an event still in my admin logs from Feb that also showed verifications@reseller.squarespaceapps.com running only the initial admin creation but that seems to no longer be in use when I buy a new domain via squarespace. Everything is currently run through the wksp account for all modifications as far as I can tell.
• Domain Admin invitations can be sent to any email from the Squarespace page, and there’s no Confirmation Email or notification for the Owner. Domain Admins can make whatever edits they want to the DNS. 
  • Domain Admin Invitations can be Chained - Domain admins can invite others with no notification
  • Invited Domain Admins can turn off “Domain Lock” with no notification sent to the Owner.
  • Invited Domain Admins can request domain transfer codes, but they are sent to the owner alone.
• If I add someone on the Website level as a contributor, no combination of permissions I give them seem to be able to create a new Domain Admin or turn off/on domain lock or request a transfer code
• Logins
  • 2FA on Squarespace is not on by default when you set up an account, and is not forced. If users set up once and then forgot about it, then their Squarespace seems like it’s controlled from only the entry email.
  • They have passkeys as an auth option, I’m not qualified to judge their implementation, but using them is certainly better than nothing!
  • New 2FA registration generates an email to the owner.
  • If you have insecurely saved your squarespace backup codes, then it seems like this is another way to fail to protect your account just like with Google

So with the information above, a compromised cred for the Squarespace Account Owner, who does not have to be the Workspace admin, seems to be sufficient to take all Workspace data that isn’t backed up offsite/offdomain. Thus, every Google Workspace has two admin accounts: Google Workspace Root Admin and Squarespace Admin.

• Once a workspace subscription is canceled, I can confirm that it cannot be picked back up by squarespace
• Is there a way for an existing Business Standard account to prevent admins being changed? Not that I can tell, I think the main way would be to set up a rule that automatically suspends any new superadmins, which is usually too technical for regular users to set up well.
• Can a social engineer take over your account? I don't have good data on this. Squarespace Login is generally handled via something like SSO, but if disconnected then the account reverts to email/password. It’s tough for me to tell how bad this is - seems like a possible attack path is to temporarily block the “main social” account from being accessed then call Squarespace support to say email/password should be set up because the ‘main’ account is down? I don’t have enough social engineering experience to assert that this is the weakest path or to feel comfortable trying this myself, would be nice to hand this off to someone to see what’s possible.
  
• There appears to be no way to block Squarespace from adding an admin
• How can an org tell they're on squarespace - looks like we can just use https://builtwith.com/