360XSS: The Epic Fail of 350+ Sites in the Great Virtual Tour Hijack
The 360XSS campaign exploited a Krpano XSS vulnerability to hijack search results, distributing spam ads across 350+ sites, including government and university domains. This attack manipulated a virtual tour tool to inject malicious scripts, highlighting a shift from malware to exploiting web framework flaws.
Hot Take:
**_Oh, Krpano, you had one job! Instead of showing off beautiful 360° views, you’re now showcasing how to turn prestigious domains into spam ad billboards. Who knew virtual tours could lead to such real-world headaches? Maybe it’s time to get our cybersecurity magnifying glasses and search for those pesky vulnerabilities before they turn our beloved university sites into the Wild West of the internet._**
Key Points:
– A massive cybersecurity campaign, dubbed “360XSS,” exploited a vulnerability in the Krpano virtual tour framework.
– The vulnerability, known as CVE-2020-24901, allowed attackers to inject malicious code into websites using Krpano.
– Over 350 websites, including government, educational, and media domains, were compromised for spam advertisement distribution.
– The campaign primarily used SEO poisoning to manipulate search results and boost spam ad visibility.
– The attackers remain unidentified but are suspected to be an Arab group based on investigation clues.