A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hundreds of websites with the goal of manipulating search results and fueling a spam ads campaign at scale.
Security researcher Oleg Zaytsev, in a report shared with The Hacker News, said the campaign – dubbed 360XSS – affected over 350 websites, including government portals, U.S. state government sites, American universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies.
“This wasn’t just a spam operation,” the researcher said. “It was an industrial-scale abuse of trusted domains.”
All these websites have one thing in common: A popular framework called Krpano that’s used to embed 360° images and videos to facilitate interactive virtual tours and VR experiences.
Zaytsev said he stumbled upon the campaign after coming across a pornography-related ad listed on Google Search but with a domain associated with Yale University (“virtualtour.quantuminstitute.yale[.]edu”).
A notable aspect of these URLs is an XML parameter that’s designed to redirect the site visitor to a second URL that belongs to another legitimate website, which is then used to execute a Base64-encoded payload via an XML document. The decoded payload, for its part, fetches the target URL (i.e., the ad) from yet another legitimate site.
The XML parameter passed in the original URL served in the search results is part of a broader configuration setting named “passQueryParameters” that’s used when embedding a Krpano panorama viewer into an HTML page. It’s specifically designed to pass HTTP parameters from the URL to the viewer.
The security issue here is that if the option is enabled, it opens the door to a scenario where an attacker could use a specially crafted URL to execute a malicious script in a victim’s web browser when the vulnerable site is visited.
Indeed, a reflected XSS flaw arising as a result of this behavior was disclosed in Krpano in late 2020 (CVE-2020-24901, CVSS score: 6.1), indicating that the potential for abuse has been publicly known for over four years.
While an update introduced in version 1.20.10 restricted “passQueryParameters” to an allowlist in an attempt to prevent such XSS attacks from taking place, Zaytsev found that explicitly adding the XML parameter to the allowlist reintroduced the XSS risk.
“Since version 1.20.10, Krpano’s default installation was not vulnerable,” the researcher told The Hacker News via email. “However, configuring passQueryParameter in combination with the XML parameter allowed external XML configuration via the URL, leading to an XSS risk.”
“The exploited versions I’ve come across were primarily older ones, predating version 1.20.10.”
The campaign, per Zaytsev, has leveraged this weakness to hijack over 350 sites to serve sketchy ads related to pornography, diet supplements, online casinos, and fake news sites. What’s more, some of these pages have been weaponized to boost YouTube video views.
The campaign is noteworthy, not least because it abuses the trust and credibility of legitimate domains to show up prominently in search results, a technique called search engine optimization (SEO) poisoning, which, in turn, is accomplished by abusing the XSS flaw.
“A reflected XSS is a fun vulnerability but on its own requires user interaction, and one of the biggest challenges is to make people click your reflected XSS link,” Zaytsev said. “So using search engines as a distribution platform for your XSS is a very creative and cool way to do it.”
Following responsible disclosure, the latest release of Krpano eliminates support for external configuration via the XML parameter, thereby mitigating the risk of XSS attacks even when the setting is used.
“Improved embedpano() passQueryParameters security: data-urls and external URLs are generally not allowed as parameter values anymore and URLs for the XML parameter are limited to be within the current folder structure,” according to the release notes for version 1.22.4 released this week.
It’s currently not known who is behind the massive operation, although the abuse of an XSS flaw to serve just redirects, as opposed to carrying out more nefarious attacks like credential or cookie theft, raises the possibility of an ad firm with questionable practices that’s serving these ads as a monetization strategy.
Users of Krpano are advised to update their installations to the latest version and set the “passQueryParameters” setting to false. Affected website owners are recommended to find and remove infected pages via Google Search Console.
