A virtual tour framework recently fell victim to a cross-site scripting (XSS) vulnerability that was exploited by malicious actors in a campaign known as 360XSS. This campaign targeted over 350 websites, including government portals, universities, hotels, news outlets, and Fortune 500 companies, injecting malicious scripts to manipulate search results and promote spam ads.
Security researcher Oleg Zaytsev discovered the campaign after encountering a pornographic ad on Google Search that was linked to Yale University’s domain. The affected websites all shared the use of Krpano, a popular framework for embedding 360° images and videos to create interactive virtual tours and VR experiences.
The XSS vulnerability stemmed from a configuration setting in Krpano called “passQueryParameters,” which allowed attackers to execute malicious scripts through specially crafted URLs. While an update in version 1.20.10 aimed to mitigate this risk, Zaytsev found that adding the XML parameter to the allowlist reintroduced the XSS vulnerability.
The campaign exploited this weakness to hijack websites and serve illicit ads related to pornography, diet supplements, online casinos, and fake news sites. By leveraging legitimate domains, the attackers were able to boost their visibility in search results through SEO poisoning.
Following responsible disclosure, Krpano released an update (version 1.22.4) that eliminates support for external configuration via the XML parameter, effectively preventing XSS attacks. Users are advised to update to the latest version and disable the “passQueryParameters” setting to enhance their security.
While the perpetrators behind the campaign remain unknown, the focus on ad redirects suggests a monetization strategy rather than more malicious activities like data theft. Website owners are urged to check for infected pages using Google Search Console and take necessary actions to protect their sites.
For more cybersecurity news and updates, follow us on Twitter and LinkedIn.
