Security Warning: Squarespace Transfer from Google Domains

By Wavefront_Security_Dave @ 2024-06-10T09:26 (+4)

Why you should care:

Domains owned by Squarespace can make new superadmins in your Workspace/Drive/Email and own all of your things. This is not great for your security, because you want only one Admin account that you control.


Take 5 minutes and do the top quick fix in the next section. Squarespace can modify users into full admins if your Google Workspace Admin hasn’t reclaimed control away from the reseller which is Squarespace in this scenario. This means that there are two accounts who can fully control your Google domain: 1) Your root user / superadmin and any they delegate 2) your Squarespace account owner. There are short term fixes as well as full risk mitigation steps below. I'll be running some checks and emailing possibly affected orgs.

Quick fixes

Full Fix

How to tell if someone has used your Squarespace to make an admin:

First, go to the Investigation Tool for Admin Log Events: Reporting > Audit and Investigation > Admin Log Events

Run a search - Use the Condition Builder, set the search to Event, then look for “Admin Privileges Grant” (you can select it from a dropdown as well) and hit Search:

If you have any unexpected notifications after your search, please feel free to DM me and I can walk you through some next steps.

If you don't care about technical aspects of any of this, please feel free to stop reading here!

(For Technical Users) Here’s what I tested

The main points are highlighted in bold


So with the information above, a compromised cred for the Squarespace Account Owner, who does not have to be the Workspace admin, seems to be sufficient to take all Workspace data that isn’t backed up offsite/offdomain. Thus, every Google Workspace has two admin accounts: Google Workspace Root Admin and Squarespace Admin.