A cross-site scripting (XSS) vulnerability in a virtual tour framework has been armed by malicious actors to inject malicious scripts on hundreds of websites, with the goal of manipulating the search results and fueling a spam advertising on a scale.
In a report shared with hacker news, security researcher Oleg Zatsev said – campaign – dubbed 360xss – The government portal, the US state government sites, American universities, major hotel chains, news outlets, car dealerships and many Fortune 500 were influenced by more than 350 websites.
“It was not just a spam operation,” the researcher said. “This was an industrial scale misuse of reliable domains.”
One of these websites has the same thing: a popular structure called Kripano, which is used to embed 360 ° images and videos to facilitate interactive virtual tour and VR experiences.
Zaytsev stated that he stumbled the campaign after coming into a pornography-related advertisement listed on Google Search, but with a domain attached to Yale University (“virtualtour.quantuminstute.yale[.]Edu “).
A remarkable aspect of these URLs is an XML parameter designed to redirect the site visitor to another URL which is related to another legitimate website, which is then used to perform the base 64-encoded payloads via XML documents. Decoded payload, for its share, target URL (ie, AD) yet from another valid site.
The XML parameter passed in the original URL served in the search results is part of a broad configuration setting that is called “PassQueryParameters”, which is used while embedding the KRPANO Panorama viewer in the HTML page. It is specifically designed to pass the HTTP parameters from the URL to the viewer.
The safety issue here is that if the option is capable, it opens the door of a landscape, where an attacker can use a specially designed URL to execute the malicious script in a victim’s web browser when a weak site is visited when visited.
Indeed, a reflected XSS defect which resulted in this behavior was revealed in KRPANO (CVE-2020-24901, CVSS Score: 6.1) in late 2020, indicating that the ability to misuse has been publicly known for four years.
While an update introduced in version 1.20.10 restricted on an Allowlist in an attempt to prevent such XSS attacks from occurring, Zaytsev found that XML parameters were clearly added to the parameter to re -involve the XSS risk to the parameter.
“Since version 1.20.10, KRPANO’s default installation was not weak,” the researcher told the hacker news via email. “However, configuring the passquareparameter in combination with the XML parameter allows the outer XML configuration via the URL, leading to the XSS risk.”
“The exploited versions made by me were mainly older, before 1.20.10.”
Campaign, per zaytsev, has availed this weakness for kidnapping more than 350 sites to serve pornography, dietary dose, online casinos and fake news sites. What is more, some of these pages have been made weapons to promote Youtube video scenes.
The campaign is notable, not at least because it misuses the trust and reliability of valid domains to show prominently in search results, a technique called search engine adaptation (SEO) toxicity, which in turn, is fulfilled by misuse of XSS defects.
“A reflective XSS is a fun vulnerability, but needs user interactions in itself, and one of the biggest challenges is to click on your reflective XSS link,” Zaytsev said. “So using the search engine as a distribution platform for your XSS is a very creative and good way.”
After disclosure responsible, KRPANO’s latest release eliminates support for external configurations through the XML parameter, which reduces the risk of XSS attacks even when the settings are used.
“Improved embedpano () passquareparameters security: Data-URL and external URL are generally not allowed as parameter values and URLs for XML parameters are limited within the current folder structure,” according to notes for 1.22.4 according to the version 1.22.4.
It is not currently known who is behind the mass operation, although an XSS dosha is misused only to serve the redirects, as contrary to fulfilling more nefarious attacks such as credential or cookie theft, an advertising firm increases the possibility of firm with suspicious practices that are serving these advertisements as a monetization strategy.
KRPANO users are advised to update their installations in the latest version and set the “passquareparameters” settings on False. The affected website owners are recommended to find and remove infected pages through the Google Search Console.
