Unstoppable Domains SquareSpace DNS Hijacking
Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.
Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!
Unstoppable Domains offers web3-based domain names which serve as an identity for users on the blockchain. On July 11th, Google Domains were acquired by SquareSpace, which set up a transition process whereby users could log in to transfer their accounts to SquareSpace. There was no validation on who owned those accounts, which allowed malicious individuals to claim and hijack popular domain names. These domain names were redirected to phishing sites. This included the Unstoppable Domains domain name.[1][2][3][4][5][6][7][8][9]
About Unstoppable Domains
"One Stop Shop for Onchain Domains Own your identity in the digital world." "Unstoppable Domains is on a mission to create user-owned, digital identity for every person on the planet. To accomplish this, we are creating web3 domains that put you back in control of your data. These aren’t just traditional domains, these are domains with superpowers."
"Your Unstoppable domain is your identity for Web3. Use your Unstoppable Domain to build and verify your digital identity, log in seamlessly to applications, games and metaverses, make payments easier by simplifying lengthy crypto wallet addresses, and create and host websites that you fully own.
Unstoppable Domains are minted on the blockchain with zero gas fees. Best of all, once you buy and claim a Web3 domain, it's yours forever — no renewal fees."
"Find your ideal domain from a vast selection of endings that fit both your brand's personality and budget." "Seamlessly secure your domain with credit card or crypto-payments." "Instantly mint your new domain to your personal wallet or choose the UD Vault for enchanced security." "Enjoy complete control over your domain — manage or sell it whenever you choose."
The Reality
This sections is included if a case involved deception or information that was unknown at the time. Examples include:
- When the service was actually started (if different than the "official story").
- Who actually ran a service and their own personal history.
- How the service was structured behind the scenes. (For example, there was no "trading bot".)
- Details of what audits reported and how vulnerabilities were missed during auditing.
What Happened
"Last week, our DNS provider @squarespace, experienced a compromise during the migration from Google Domains, affecting many companies. This issue was isolated to DNS settings on Squarespace and did not impact Unstoppable Domains’ core services."
| Date | Event | Description |
|---|---|---|
| July 16th, 2024 2:32:00 PM MDT | Explanation Tweet Posted | Unstoppable Domains posts a tweet with an explanation of what happened to compromise the domain name. |
| July 16th, 2024 2:37:00 PM MDT | Back Secure And Operational | Unstoppable Domains makes a Twitter post to announce that their website and communications are now fully secure. They promise security enhancements in the future, including transferring the domain to themselves as a registrar and tokenizing the domain name. |
Technical Details
"Unfortunately, many domain contributors never created their Squarespace accounts either because they forgot that they were granted contributor access, or they didn’t expect inaction to have security implications, making it quite easy for a threat actor to beat them to the punch and gain full access to their account."
Total Amount Lost
No funds were lost.
How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?
Immediate Reactions
"Importantly, our backend services, smart contracts and critical infrastructure were unaffected, ensuring your data remains completely safe.
No user data leaks or account compromises occurred, reaffirming our commitment to your security."
"Web3 domain provider Unstoppable Domains stated on Twitter that Unstoppabledomains.com was attacked. Until further notice, please do not open any emails from @unstoppabledomains.com or use the website."
"We actively engaged in a Telegram community with other companies impacted, offering support and sharing insights to help everyone involved.
Our team worked tirelessly to review the situation. Because our backend was completely secure, no data was compromised and your information remains safe."
Ultimate Outcome
"We’re pleased to report that our website, http://unstoppabledomains.com, and communications from @unstoppabledomains.com are secure & fully operational.
--> Our team worked tirelessly to prioritize and ensure the safety and security of our users.
--> No user data leaks or account compromises occurred.
--> Soon we will be moving our .com to Unstoppable as a Registrar and tokenizing it to provide an extra level of security and reliability."
"Traditional DNS registrars like @squarespace can face security challenges if compromised. Once we finalize ICANN approval for our registrar license, we’ll transfer and tokenize http://unstoppabledomains.com within our own system. This transition is expected within the next month."
"Once tokenized and onchain, any changes to DNS records or domain transfers will require a wallet signature.
This will enhance security, functionality and protect against attacks."
"No action is required from users at this time. As a best practice we recommend everyone turn on two-factor authentication (2FA).
To further secure your online presence, consider getting your .com domains through Unstoppable in the future.
Tokenizing your domains with us provides extra security and reliability, helping you avoid similar issues and ensuring better protection."
Total Amount Recovered
There do not appear to have been any funds recovered in this case.
What funds were recovered? What funds were reimbursed for those affected users?
Ongoing Developments
What parts of this case are still remaining to be concluded?
Individual Prevention Policies
No specific policies for individual prevention have yet been identified in this case.
For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.
Platform Prevention Policies
Policies for platforms to take to prevent this situation have not yet been selected in this case.
For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.
Regulatory Prevention Policies
No specific regulatory policies have yet been identified in this case.
For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.
References
- ↑ SlowMist Hacked - SlowMist Zone (Accessed Jul 16, 2024)
- ↑ @unstoppableweb Twitter (Accessed Jul 16, 2024)
- ↑ Notion – The all-in-one workspace for your notes, tasks, wikis, and databases. (Accessed Jul 16, 2024)
- ↑ Unstoppable Domains — web3 domains for everyone (Accessed Jul 16, 2024)
- ↑ About | Unstoppable Domains (Accessed Jul 16, 2024)
- ↑ @samczsun Twitter (Accessed Jul 16, 2024)
- ↑ Our SquareSpace Domain Was Hijacked! Here’s How Blockchain Can Prevent This From Happening To You | by Matthew Gould | Jul, 2024 | Medium (Accessed Jul 16, 2024)
- ↑ @beingando Twitter (Accessed Jul 16, 2024)
- ↑ @sandy_carter Twitter (Accessed Jul 16, 2024)