In order to manipulate search results and launch a spam advertising campaign at scale, malicious actors have exploited a cross-site scripting ( XSS) vulnerability in a virtual tour framework.
Security scientist Oleg Zaytsev, in a statement shared with The Hacker News, said the campaign – dubbed 360XSS – affected over 350 websites, including government portals, U. S. state government sites, British universities, big hotel chains, news outlets, car dealerships, and many Fortune 500 companies.
” This wasn’t just a spam operation”, the researcher . ” It was an industrial-scale misuse of trusted domains”.
All of these websites share one thing: a well-known platform called that allows for interactive online tours and Virtual experiences.
Zaytsev claimed to have discovered the strategy after seeing a pornographic campaign that was listed on Google Search but had a Yale University “virtualtour” domain. quantuminstitute. yale [. ] edu” ).
An XML feature that is intended to point the site visitor to a second website owned by another reputable website is a significant feature of these URLs, which is then used to kill a Base64-encoded payload via an XML document. The decoded payload, for its part, fetches the target URL ( i. e., the ad ) from yet another legitimate site.
The XML parameter when inserting a Krpano panorama audience into an HTML page is part of a wider layout setting called “pass QueryParameters” that’s in this process. It was created specifically to allow the spectator to send HTTP parameters from the URL.
If the option is enabled, it opens the door to a situation in which a victim could do a destructive text in their web browser when the vulnerable site is visited.
Indeed, a arising as a result of this behavior was disclosed in Krpano in late 2020 ( , CVSS score: 6.1 ), indicating that the has been publicly known for over four years.
Zaytsev discovered that explicitly reintroducing the XML parameter to the allowlist reintroduced the XSS risk, in contrast to the version 1.20.10 update that restricted “pass QueryParameters” to an allowlist in an effort to stop such XSS attacks from occurring.
” Since version 1.20.10, Krpano’s default installation was not vulnerable”, the researcher told The Hacker News via email. However, using passQueryParameter in combination with the XML parameter prevented external XML configuration via the URL, which created an XSS risk.
” The exploited versions I’ve come across were primarily older versions that predated version 1.20.10,” I said.
The campaign, per Zaytsev, has leveraged this weakness to hijack over 350 sites to serve sketchy ads related to pornography, diet supplements, online casinos, and fake news sites. What’s more, some of these pages have been weaponized to boost YouTube video views.
The campaign is noteworthy, not least because it abuses the trust and credibility of legitimate domains to show up prominently in search results, a technique called search engine optimization ( SEO ) poisoning, which, in turn, is accomplished by abusing the XSS flaw.
One of the biggest challenges is getting people to click your reflected XSS link, Zaytsev said,” A reflected XSS is a fun vulnerability, but it requires user interaction on its own.” So using search engines as a distribution platform for your XSS is a very inventive and cool way to do it.
Following a responsible disclosure, the most recent version of Krpano eliminates support for external configuration via the XML parameter, mitigating the risk of XSS attacks even when the setting is used.
According to the for version 1.1.22.4, which was released this week,” Improving embedpano ( ) passQueryParameters security: data-urls and external URLs are generally not allowed as parameter values anymore and URLs for the XML parameter are limited to be within the current folder structure.”
Although the abuse of an XSS flaw to serve just redirects rather than carrying out more nefarious attacks like credential or cookie theft raises the possibility that an ad firm with dubious practices is using these ads as a monetization strategy. It’s not known who is currently behind the massive operation.
Users of Krpano are advised to update their installations to the latest version and set the “pass QueryParameters” setting to false. It is suggested that affected website owners use Google Search Console to locate and remove infected pages.