Spam campaign via XSS vulnerability in Krpano Virtual Tour Framework
Take action: If you are using Krpano VR framework, make sure to patch it ASAP. Because criminals are probably already abusing it.
Learn More
A widespread campaign exploiting a reflected XSS vulnerability in the Krpano VR library has been discovered affecting hundreds of websites across major organizations including government portals, universities, Fortune 500 companies, and news outlets.
Security researcher Oleg Zaytsev uncovered this large-scale operation while investigating suspicious search results appearing under Yale University's domain.
The vulnerability, tracked as CVE-2020-24901 (CVSS score 6.1), allows attackers to inject malicious scripts by exploiting the passQueryParameter setting in Krpano's configuration. This setting, enabled by default in older versions, allows query parameters from the hosting website to be directly passed into Krpano's configuration. The "xml" parameter can be used to load external XML files containing malicious JavaScript.
The attackers have leveraged this vulnerability for an industrial-scale SEO poisoning campaign, injecting spam content that appears in Google search results under the authority of trusted domains.
SEO poisoning means they injected spam content that would appear in Google search results under trusted domain names. When users searched for certain terms (like "porn" in the example), they'd see results from reputable domains like Yale University. Clicking these search results would either redirect users to advertising networks or show fake content that appeared legitimate because it was hosted on the trusted domain.
The campaign has been used to distribute:
- Pornographic content
- Online casino promotions
- Diet supplement advertisements
- Fake news
- YouTube view-boosting content
Most exploited websites simply redirect users to ad networks, but in more sophisticated cases like CNN.com, attackers created fake articles that remained on the legitimate domain, weaponizing the trust associated with these major platforms.
Over 350 exploited websites were discovered, some having multiple instances of exploitation. Utah's official state website alone had over 100 indexed spam results at the time of discovery.
The vulnerability affects Krpano versions prior to 1.22.4, where the ability to load external resources through the XML parameter was finally restricted. Even though the patch is available for years, websites failed to implement the fixes.
