A significant security vulnerability, identified as a cross-site scripting (XSS) flaw, has been exploited in a widely-used virtual tour framework, allowing cybercriminals to inject harmful scripts into hundreds of websites. This malicious activity aims to manipulate search results and promote spam advertising on a large scale.
According to a report by security researcher Oleg Zaytsev shared with The Hacker News, the operation, termed 360XSS, has impacted over 350 websites, targeting a diverse range of entities including government agencies, U.S. state websites, academic institutions, prominent hotel chains, media outlets, car dealerships, and numerous Fortune 500 corporations.
Zaytsev emphasized the gravity of the situation, stating, “This is not merely a spam initiative; it represents an industrial-scale exploitation of trusted domains.” The commonality among the compromised websites is their reliance on a popular framework known as Krpano, which facilitates the embedding of 360° images and videos for interactive virtual tours and VR experiences.
The campaign was uncovered when Zaytsev noticed a pornographic ad appearing in Google search results that was linked to a domain associated with Yale University. This led him to investigate further into the extent of the campaign’s reach.
One striking feature of the compromised URLs involves an XML parameter crafted to redirect users to a second URL belonging to another legitimate site, which subsequently executes a Base64-encoded payload delivered through an XML document. This payload is then responsible for retrieving the target URL of the ad from yet another authentic source. This exploitation method leverages the XSS vulnerability, allowing attackers to execute scripts within the web browsers of users who visit the affected sites.
The specific XML parameter used in the URLs is part of a broader configuration known as “passQueryParameters“, which is utilized when embedding a Krpano panorama viewer in an HTML context. This feature is intended to transfer HTTP parameters from the URL to the viewer, but if enabled, it creates vulnerabilities that cybercriminals can exploit to run malicious scripts.
A reflected XSS vulnerability associated with this behavior was previously documented in Krpano back in late 2020, underscoring the known potential for abuse over the last four years. Although an update in version 1.20.10 aimed to restrict the “passQueryParameters” setting to an allowlist to thwart such attacks, Zaytsev found that adding the XML parameter to this allowlist inadvertently reintroduced the XSS risk.
Zaytsev clarified that, while Krpano’s default installation since version 1.20.10 has not been inherently susceptible, misconfigurations involving passQueryParameters in conjunction with the XML parameter have allowed external XML configurations through the URL, consequently raising XSS vulnerabilities. He noted that many of the versions taking advantage of this flaw were predominantly older than 1.20.10.
The campaign has exploited the XSS weakness to take control of numerous sites, directing traffic to advertisements related to pornography, diet supplements, online gambling, and disinformation sites. Additionally, some compromised pages have been manipulated to artificially inflate views on YouTube videos.
This attack strategy is particularly notable for its use of established and credible domains to gain prominent visibility in search results—a method known as SEO poisoning. This technique, combined with the XSS exploit, allows attackers to effectively bypass user safeguards typically in place against such risks.
While the true identities behind this expansive operation remain uncertain, the focus on redirecting traffic rather than conducting more harmful attacks like credential theft or cookie manipulation suggests that the campaign might be orchestrated by an ad agency employing questionable methods for monetization.
Krpano users are urged to update to the latest version and to disable the “passQueryParameters” option immediately. Website administrators affected by this incident are also encouraged to identify and eliminate compromised pages using Google Search Console.
