Researchers: Weak Security Defaults Enabled Squarespace Domains Hijacks

Original Article ↗ Hacker News Discussion ↗

Squarespace Vulnerability & Impact

  • Core flaw: migrated Google Domains accounts landed in a “half-initialized” state; anyone who knew the email could sign up, set a password, and gain control without proving email ownership.
  • Commenters describe this as gross negligence, especially for a large provider handling critical infrastructure (domains, Workspace reseller access).
  • Concern that hijacked Squarespace accounts could create new Google Workspace admins for affected domains.
  • Squarespace’s lack of a clear, official postmortem is criticized; users are unsure if the issue is fully fixed.

Google Domains Sale & Trust

  • Many used Google Domains explicitly for perceived security and longevity; the sale to Squarespace is seen as a major breach of trust.
  • Several argue domains fit Google’s core strengths and supported its cloud/PAAS ambitions, making the divestiture baffling.
  • Internal-culture anecdotes depict Google as dominated by MBAs and cost-cutting, with products cut to enable layoffs and satisfy financial goals.
  • Some moved domains elsewhere immediately upon hearing of the sale to avoid a forced bulk migration.

Registrar Choices & Migration Strategies

  • Recommended registrars include Namecheap, Porkbun, Cloudflare, Dynadot, Joker, iwantmyname, infomaniak, OpenSRS/Hover, AWS (as reseller), NameISP.
  • Experiences vary: praise for Porkbun support and security (e.g., hardware keys), criticism of Namecheap communications, and skepticism toward Cloudflare’s at-cost model and upsell pressure.
  • Widespread distrust of the registrar industry overall; some fear any provider can be acquired or shut down.
  • Best practice suggested: decouple DNS hosting from registrar to make registrar moves safer and less disruptive.

Email Verification & Security Practices

  • Strong consensus that attaching unverified emails to accounts is dangerous; many products skip verification to improve conversion funnels.
  • Suggestions include: legally requiring verification, strict separation of verified/unverified emails in databases, and making it hard for non-auth teams to rely on unverified addresses.
  • Debate over how market forces and imperfect consumer information undermine security-focused choices.

Liability, Regulation & Organizational Dynamics

  • Some want such security failures criminalized at the organizational level; others argue civil liability (tort/small claims) is the realistic lever.
  • Dispute over whether developers or management should bear legal responsibility; concern that laws without enforcement just push risk downward.
  • Advice to document security concerns in writing to create accountability, though there’s debate over motives and effectiveness.

Broader Industry & Career Reflections

  • Defense-side cybersecurity roles are portrayed as frustrating: constant vendor noise, management penny-pinching, uncooperative users, and blame whether incidents happen or not.
  • This resonates with those considering or already adjacent to security work.
  • Squarespace is also criticized for product decisions (no backups, constrained DNS/MX control, simplistic workflows) seen as favoring marketing and design over robustness for less technical users.