Tech

YooouuuTuuube was the pinnacle of Adobe Flash

Flash may have had its faults, but it was a huge force for creativity on the early web.

Nick McCardel/YouTube

As you were at home celebrating the end of a dismal past year, Adobe Flash officially died a quiet death. Its discontinuation marks the end of an era in the internet's life when people experimented with how the web might look, before it standardized around feeds and platforms. Flash's innovation was that it made it easy for anyone to create interactive content on the web rather than just static webpages.

Trippy — There's perhaps no better example of the creativity Flash enabled than YooouuuTuuube, a project that reimagined videos as mesmerizing collages. Tiles filled the screen, mirroring each frame of a video as it progressed to create a pulsing feeling. Any YouTube video could be run through the app by simply entering its URL; people have commented that YooouuuTuuube was a favored way to watch videos while tripping on psychedelics.

Early web hacks — In a series of tweets commemorating the app, its creator David Kraftsow describes how YooouuuTuuube was uniquely made possible by the same faults that led to Flash's demise. Apple CEO Steve Jobs famously wanted to kill the tech for being slow, but Flash was also riddled with security holes. Kraftsow stumbled upon a vulnerability in the multimedia platform that let him bypass measures that prevent apps from scraping videos off of YouTube.

YouTube and others go to great lengths to block third-party apps from scraping content off their platforms. There are various reasons why they do this. Facebook famously doesn't allow other sites to export its friends lists, out of fear that users could more easily migrate away. And for obvious reasons, YouTube has an obligation to block those once popular sites that created song rips by downloading music videos and extracting the audio. So any app or service that tries to pull information from these platforms sees its IP address blocked pretty quickly.

Flash had built-in restrictions to prevent apps built with it from scraping the internet, but Kraftsow says that, almost by accident, he discovered the Flash Sound API wasn't blocked from scraping audio. And furthermore he found the API would try and read any plaintext webpage that was sent to it.

The result was that weird sounds would be returned, but by looking for patterns in how characters "sounded," Kraftsow was able to create a lookup table that translated the sounds back into plaintext. Entering a URL into the site, a video would load in a user's browser, YooouuuTuuube would read it as audio, and then decode that into its original form. The app couldn't be blocked because the videos were loaded by the end user, not the app.

Unfortunately, anyone with nefarious intentions who found this hack could abuse it to steal sensitive information. Since much interactive content on the web used to be powered by Flash, an attacker could theoretically inject the hack into any Flash media, like a web ad, and once it loaded could read the content in a person's browser. Kraftsow demonstrated how he could read a user's Gmail even when the exploit was loaded in different tab.

End of an era — In the end, Kraftsow reported the vulnerability to HP and received a $7,500 bounty. He believes he could have made upwards of $100K selling it on the dark web, however, where hackers could use the hack to steal sensitive banking and other information.

Flash had its problems, but it's still sad to see so much creativity killed by the platform generation of the web. It's not so much an "open" web anymore than a cluster of walled gardens where information is heavily guarded as a moat for companies to protect their dominant positions in the marketplace.