Compound, Cellar attack caused by faulty migration system – DNS experts.
A July 11 Domain Name System (DNS) attack against multiple Web3 protocols may have allowed Google Domains to migrate to Squarespace's system, according to several DNS experts. According to some experts, tokenized web domains greatly reduce the risk of future attacks.
On July 11, several Web3 protocols were targeted in a widespread DNS hijacking attack. Blockchain researcher ZachXBT discovered that it was leading to a malicious phishing site designed to steal users' tokens for the Compound Financial website. Later in the day, Sailor Network announced that its website had been targeted, although in this case the attack was detected and blocked.
Blockchain security firm Blocklaid reports that the attack appears to be related to “projects hosted on Squarespace,” suggesting that the vulnerability may have originated in Squarespace's domain registration system.
In a July 12 interview with Cointelegraph, Matt Gould, founder of the tokenless domain protocol Unstoppable Domains, theorized that the attack may have been caused by users switching from Google Domains to Squarespace, which made users vulnerable to phishing attacks. . Gould said:
“If you're a Google Now customer and need to move to Squarespace, you'll need to create a new account. So you're a very easy, soft target for someone running a phishing campaign. ‘Hey, you need to create a new Squarespace account. You haven't done it yet. Your time is running out. Click this link.'
In a post to X, Victor Zhou, founder of token domain protocol Namfi, expressed a similar view. “He [was suspected] […] The reason is probably that these projects are registered with Google Domains. When @Google sold its domain business to @SquareSpace a few months ago, the migration involved breaking multi-factor authentication by force, and the attackers were able to crack it with just a password.
A report by cybersecurity firm Security Alliance blamed a botched migration process for the hack. According to him, the “most likely explanation” or “strong theory” is that Squarespace automatically assigns the relevant domains to the Google email addresses associated with their owners.
This allowed the users to access their domains immediately after creating an account on Squarespace. However, Squarespace doesn't require email verification for new accounts created with a password, so an attacker can only log in with the Google Domains owner's email. The security alliance suggested that this bug might have occurred because Squarespace administrators thought users would create their accounts with a Google login.
The report said.
With all the information we have, we think the most likely explanation for what happened is that Squarespace assumed that all users migrating from Google domains would use the ‘Continue with Google' login method. […] Squarespace never took into account the possibility that a threat actor could sign up to an account using an email associated with a recently migrated domain.[.]”
Cointelegraph contacted Squarespace for comment but did not receive a response prior to publication.
Gold suggests that this type of attack could be prevented in the future if Web3 protocols encrypt their domains and host them on the blockchain network.
“If we can chain domains, when you want to update your DNS settings, you can ask the client to sign a message with their key,” he said. And if you put that extra security measure in there, […] Then someone can't hack your account […] Because they need to compromise not only your Squarespace account, but your wallet, your keys.
For added protection, a user can apply two of the three multi-signature requirements, where at least two team members must sign a transaction to change DNS settings, Gold said.
Another more radical option is to put the web registrar itself on the chain. In this case, migration is no longer necessary. Switching suppliers is like switching from one dealer to another. “If all registries were onchain and you wanted to update the registrant, you wouldn't have to ask the users to create a new account,” he said.
Related: Pudgy Penguin allows access to the virtual world with non-stop domains
Zhou also said that encrypted domains help prevent these types of attacks. “Tokenized domain names offer the opportunity to enable advanced security measures based on programmable ownership,” he said. They can “enable limited signature signing, which means multiple users can control the domain together.”
Unlike anonymous domains, “Your MFA [multifactor authentication] Can be deleted, tokenized or blockchain-based domains “Make sure MFA is controlled by the domain owner rather than an intermediary like SquareSpace. And they can allow a “social recovery mechanism” if a domain owner loses their private key, Zhou explained.
In Zhou's view, tokenized domains “provide a much better foundation for advanced security measures” than existing centralized system domain owners realize.
Despite these potential security improvements, Nick Johnson, founder of the tokenized domain protocol Ethereum Name Service (ENS), cautioned that blockchain-based registry systems are not a silver bullet that will solve all security problems. “Definitely marked domains make it easier to protect yourself.” […] On July 22, Johnson told Cointelegraph. “Having your name controlled by an Ethereum account means you can put the security behind it that applies to your Ethereum account.”
However, he warned, “What it can't do is protect against vendor-initiated issues like the Squarespace hack, because being able to compromise the vendor means you can bypass all those restrictions.”
Although tokenizing domains “provides a lot of benefits,” Johnson said, “I don't think it intrinsically makes things more secure.” The best way to protect yourself is to be “incredibly careful who you trust with your company's crown jewels.”
Johnson says that most virtual domain providers “probably put a little more emphasis on security on average,” and that can lead to the perception that they're more secure. But “it doesn't automatically make them safer.”
According to Johnson, the main benefit of tokenizing domains is that it makes it easier for domain owners to register Ethereum usernames. For example, through ENS's partnership with GoDaddy, owners of GoDaddy domains can create Ethereum usernames through ENS, and to do so, “simply check a box and enter the address you want your name to resolve to, and you're done.” “
According to GoDaddy's help page on the topic, the primary benefit for a website owner to have an Ethereum username is that it allows them to receive payment for their domain name. Otherwise, they must provide an Ethereum address to each user who wants to send them cryptocurrency.
DNS attacks continue to threaten crypto users. On July 23, 12 days after the attacks on Compound and Celer, crypto exchange dYdX also saw its v3 user interface hacked by an attacker. In this case, the attacker injected a malicious crypto-mining application directly into the exchange's wallet connection functionality.
Magazine: Wazir X Hackers Prepared 8 Days Before Attack, Fraudsters Register Fee for USDT: Asia Express
