Article Body

Introduction to 360XSS

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been exploited by malicious actors to inject malicious scripts across hundreds of websites. The primary goal of this campaign, dubbed 360XSS, is to manipulate search results and fuel a spam ads campaign at scale. Security researcher Oleg Zaytsev, in a report shared with The Hacker News, stated that the campaign affected over 350 websites, including government portals, U.S. state government sites, American universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies.

The Common Factor: Krpano Framework

All these websites have one thing in common: a popular framework called Krpano that’s used to embed 360° images and videos to facilitate interactive virtual tours and VR experiences. Zaytsev said he stumbled upon the campaign after coming across a pornography-related ad listed on Google Search but with a domain associated with Yale University ("virtualtour.quantuminstitute.yale[.]edu").

Technical Details of the Campaign

A notable aspect of these URLs is an XML parameter that’s designed to redirect the site visitor to a second URL that belongs to another legitimate website, which is then used to execute a Base64-encoded payload via an XML document. The decoded payload, for its part, fetches the target URL (i.e., the ad) from yet another legitimate site. The XML parameter passed in the original URL served in the search results is part of a broader configuration setting named "passQueryParameters" that’s used when embedding a Krpano panorama viewer into an HTML page.

Security Issue

The security issue here is that if the option is enabled, it opens the door to a scenario where an attacker could use a specially crafted URL to execute a malicious script in a victim’s web browser when the vulnerable site is visited. Indeed, a reflected XSS flaw arising as a result of this behavior was disclosed in Krpano in late 2020 (CVE-2020-24901, CVSS score: 6.1), indicating that the potential for abuse has been publicly known for over four years.

Campaign’s Scale and Impact

The campaign, per Zaytsev, has leveraged this weakness to hijack over 350 sites to serve sketchy ads related to pornography, diet supplements, online casinos, and fake news sites. What’s more, some of these pages have been weaponized to boost YouTube video views. The campaign is noteworthy, not least because it abuses the trust and credibility of legitimate domains to show up prominently in search results, a technique called search engine optimization (SEO) poisoning, which, in turn, is accomplished by abusing the XSS flaw.

Mitigation and Conclusion

Following responsible disclosure, the latest release of Krpano eliminates support for external configuration via the XML parameter, thereby mitigating the risk of XSS attacks even when the setting is used. Users of Krpano are advised to update their installations to the latest version and set the "passQueryParameters" setting to false. Affected website owners are recommended to find and remove infected pages via Google Search Console.

Additional Information

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.