The websites of dozens of major private and government organizations have been abused in a massive spam campaign that involves exploitation of a vulnerability affecting widely used virtual tour software.
The attacks were observed recently by researcher Oleg Zaytsev who noticed that a Google search revealed what appeared to be adult content on the website of a major university in the US.
Additional analysis showed that the impacted website hosted a virtual tour powered by software made by Krpano. This software is affected by a reflected cross-site scripting (XSS) vulnerability that has been exploited to lead users to shady websites promoting adult content, diets, hacking services, and online casinos.
Krpano is a widely used framework for panoramic images, enabling the creation of virtual tours and VR environments.
The XSS vulnerability, found in a library that is present on websites using the Krpano software, has allowed a threat actor to redirect users from pages hosted on those sites to arbitrary domains. The attackers used SEO poisoning to lure users to the pages hosting the malicious redirects.
Zaytsev identified — based on Google searches — more than 350 websites exploited by this threat actor, including sites belonging to government organizations, major universities, hotel chains, car dealerships, news outlets, and Fortune 500 companies.
“Most of these sites were very popular and are having millions of visitors each month, and some had been hit multiple times, serving different types of ads,” the researcher said.
In some cases, the attackers did not redirect users to third-party websites and instead managed to embed their shady ads directly on the impacted site to make them more credible. One example is a CNN page, in which the hackers managed to directly embed casino ads.
An investigation by Zaytsev showed that the existence of the vulnerability has been known since 2020, when it was assigned CVE-2020-24901. Krpano developers implemented some restrictions at the time to prevent XSS attacks, but the patch was incomplete and the impact of the flaw was downplayed at the time.
The researcher has notified Krpano developers about the exploitation of the vulnerability and they implemented measures to prevent abuse with the release of version 1.22.4 on February 24.
SecurityWeek has reached out to Krpano for comment and will update this article if the company responds.
Zaytsev attempted to directly notify many of the impacted organizations, but in many cases he did not manage to get through to anyone. In some cases, the affected organization did take steps to address the issue.
Update: Krpano developer Klaus Reinfeld has provided several important clarifications for SecurityWeek:
“I was very recently contacted by Oleg Zaytsev about the possibility that Data-URLs could be still used to inject something if the ‘xml’ parameter was explicitly allowed to pass by query (a very rare and not typically case). Loading xml files from external sources was already blocked in previous releases, so this was basically the last open security issue (for rare cases, but still).
As soon as I have heard about that problem, I had instantly fixed it and added also additional improvements to avoid other more theoretical injecting cases (e.g. if someone could upload files to the same server and then been able to redirect to these files).
The new version 1.22.4 includes all these fixes and improvements. Although I think it’s also important to say that all krpano releases since version 1.20.10 from September 2021 have the passQueryParameters setting either disabled by default or set to harmless values and so shouldn’t be affect-able by XSS anymore.
[…]
The XSS itself is not new but the possibility to ‘hack’ Google to use it for ‘spamy’ search results that way is new, at least for me. All the affected webpages were very probably built with much older krpano versions, where the ‘passQueryParameters:true’ was enabled in an default template (a stupid mistake at this time of course).
And that passQueryParameters:true setting is indeed a problem. Everyone with a krpano-based tour on their servers should change that setting to passQueryParameters:false (or remove the setting at all, because the core default setting is and was always false). I’m recommending that already for years, but often websites were built once and then never been touched again (or even been updated)…
That means fixing the affected websites would be only the change of a single word: searching for ‘passQueryParameters’ in the html file and if found, changing true to false. And that works for ALL krpano versions.”
Related: Critical Vulnerabilities Found in Anti-Spam Plugin Used by 200,000 WordPress Sites
Related: Domains Once Owned by Major Firms Help Millions of Spam Emails Bypass Security