Hackers Hijack Virtual Tours: XSS Flaw Turns Websites into Spam Havens
Virtual tour software Krpano has gone rogue, redirecting users from university sites to online casinos and adult content. The reflected cross-site scripting vulnerability is behind this massive spam campaign. Despite attempts to alert the affected, some organizations remain oblivious to their new side hustle in shady ad placement.
Hot Take:
Who knew that your virtual tour of a university campus could take a detour through the seedy underbelly of the internet? Thanks to a vulnerability in Krpano’s software, unsuspecting digital wanderers found themselves redirected from educational institutions to online casinos and adult sites. Talk about a curriculum change! It seems like Krpano gave the phrase “extreme virtual tourism” a whole new meaning. Remember, folks: always use protection—against XSS vulnerabilities, that is!
Key Points:
– A massive spam campaign exploited a vulnerability in Krpano’s virtual tour software.
– The flaw allowed attackers to redirect users to shady websites, including adult content and casinos.
– Over 350 high-profile websites, including government and university sites, were affected.
– The vulnerability, CVE-2020-24901, was known since 2020, but initial patches were inadequate.
– Krpano released an updated version on February 24 to mitigate the issue.