A new XSS vulnerability has been discovered in the Krpano virtual tour framework, which leads hackers to inject spam advertisements into more than 350 websites. The “360XSS” attack targeted numerous online websites affecting government portals, U.S. state government websites, American universities, major hotel chains, news outlets and car dealerships, and multiple Fortune 500 corporations. While examining Google search results, Oleg Zaytsev detected an adult advertisement on a Yale University domain, which led him to discover the hacking campaign.
Zaytsev discovered through investigation that each affected domain relied on the Krpano framework that allows users to embed virtual 360-degree viewing and interactive capabilities. The flaw lies in the framework’s “passQueryParameters” configuration, which creates a security vulnerability because it lets HTTP parameters from the URL be passed into the viewer. A poor configuration of the functionality enables attackers to execute damaging scripts. Attackers exploited this flaw in the Krpano framework to inject JavaScript payloads into legitimate website URLs to display unauthorized advertising content and execute fraudulent redirects.
The cybercriminals exploited the vulnerability to modify search engine results that displayed authorized websites as victims of hosting illegal content. This damaging event led to a negative impact on the affected web site’s reputation and presented unexpected security threats to viewers accessing these pages. The attack inflicted significant damage on enterprises that depended on virtual tours for real estate promotion and tourism and hospitality service showcases since their systems transformed into advertisement distribution platforms for unwanted content.
All sites running Krpano software need to examine their configuration settings while applying required security updates for protection. Security experts advise website administrators to disable query parameter transmission and execute effective input validation to lower the risk of XSS vulnerabilities. The protection of websites against this size of attack depends heavily on the secure implementation of third-party frameworks due to increasing cyber threat developments.
