A widespread campaign exploiting a reflected Cross-Site Scripting (XSS) vulnerability in the Krpano virtual reality library has been uncovered, affecting hundreds of websites and manipulating Google’s search index for SEO poisoning and spam distribution.
Reflected XSS Vulnerability in Krpano VR Library Exploited at Scale
The vulnerability, tracked as CVE-2020-24901, stems from the default configuration of Krpano’s passQueryParameter setting, which allows attackers to inject arbitrary XML through query parameters.
This flaw enables the injection of malicious scripts, leading to search result hijacking and the distribution of spam advertisements on a massive scale.
High-Profile Targets and Sophisticated Tactics
The campaign has compromised numerous high-profile websites, including government portals, top universities, major hotel chains, news outlets, and Fortune 500 companies.
Attackers have exploited these trusted domains to boost the credibility and search engine rankings of their malicious content.
The operation demonstrates a high level of sophistication, with attackers employing various tactics to maximize their impact.
They’ve utilized a large bank of stolen assets and hijacked subdomains from major organizations to host their malicious payloads.
The campaign has gone beyond simple redirects, with some instances, such as on CNN’s website, involving the injection of fake articles disguised as legitimate content.
Researchers discovered the exploit through Google dorking, revealing thousands of compromised pages across over 350 websites.
The attackers have optimized their injected content for search engines, controlling titles, descriptions, and preview images, and adding fake review counts and ratings to enhance visibility.
While most of the compromised sites were used to distribute various types of spam advertisements, some were repurposed to artificially boost YouTube views, showcasing the versatility of the attack.
The Krpano developers have addressed the vulnerability in version 1.22.4, restricting the loading of external resources through the XML parameter.
However, the widespread nature of the exploit and the difficulty in reaching affected website owners have complicated mitigation efforts.
This campaign highlights the ongoing challenges in web security and the need for organizations to regularly update and properly configure their web technologies.
It also underscores the potential for seemingly minor vulnerabilities to be exploited at scale, with far-reaching consequences for search engine integrity and user trust.
 vulnerability in the Krpano virtual reality library has been uncovered){kind=link}