Software From The Pits of Hell: Remembering Flashstuffer
3 min read

Software From The Pits of Hell: Remembering Flashstuffer

How Flash became the ultimate sandbox escape and riddled millions of users with malware via Flashstuffer.

It's been two years since Adobe deprecated the Flash Player, which was responsible for my generation's favourite passtime: playing games on Newgrounds.com.

But later I would learn that Flash is not just useful for creating fun video games. For one, Flash was a security nightmare, which was one of the reasons why it got retired. The thing had so many damn bugs and exploits that netsec people still probably have PTSD from it. It was also a chief vector of malware delivery, as you could make flash banners do all sorts of malicious stuff, and millions were wasted in trying to keep bad actors from entering advertising ecosystems because of that.

I work in a different kind of security - anti-fraud - and one day I also had to start dealing with Flash.

Because in the right hands, Actionscript (the programming language you'd use to write Flash) could be used to rob a bank.

And rob it did, relieving untold numbers of dollars from unsuspecting companies running affiliate programs.

Before we get to how it could do that, you need to understand a technical detail about affiliate / performance marketing in general.

Affiliate marketing is a simple concept: become our partners, bring us buyers, and you get a % of the purchase amount or you get a flat fee or something. The way it works is that affiliates have their own unique links, and once someone clicks through that link, they get a cookie from the affiliate program. Should the person make a purchase, the system then reads the contents of the cookie and attributes the affiliate as the source of the buy. Different programs have different setups for this, like whether or not affiliate cookies can be overwritten, how long is the cookie lifetime, etc. and it's a lot of fine tuning for each company to figure out what works best.

Now Google gets a bad rep for re-structuring the content of the web with the demands of it's crawler, but the affiliate programs have a similar effect, and the two go hand in hand. The affiliate really, really wants you to click their link, so if you do end up making a buy related to what you just read about, they get money out of it.

It's simple and efficient, and it's a good tactic to get more customers.

It's also a potentially million dollar security hole.

Because one way to abuse this system is called cookie stuffing: if you know your javascript and html, you can open those affiliate links in the background, without the user actually clicking on anything. This is spray and pay, and the affiliate is essentially robbing both other affiliates or your marketing budget directly by unfairly getting credited for buyers that reached your site by other means.

(It's also highly illegal and in a famous case Ebay's top affiliates served time for doing it )

Now if you were one of those unlucky people who had to code Actionscript, you might remember that it could do all sorts of funky stuff - like open up iFrames or call javascript functions.

Which means you could use Flash for cookie stuffing.

Enter Flashstuffer, the software from hell.


Catching cookie stuffers is trivial if they’re not sophisticated - you just open the site where they send their traffic from, see if you get a cookie and bam, got ‘em.

Flashstuffer came packed with all the means to obfuscate the fact that you were cookie stuffing: criminals could calibrate who to stuff and when, even faking the source of their traffic to throw analysts off track.

Moreover, back in the day Flash was the format for animated banner ads. This means that someone armed with Flashstuffer just go hit up ad networks, buy a bunch of traffic to load their Flash banners, and stuff millions of users with the affiliate cookies of their choosing.

Just imagine the scenario: your marketing team is spending a bunch of money on getting your brand in front of potential customers, while some geek running Flashstuffer buys a smaller banner space on the same website.

Yeah.

We still don’t know who built Flashstuffer, but they clearly knew what they were doing. We also don’t know how much money was lost to it, as merchants and affiliate programs tried to weed out their bad actors.

The battle against Flashstuffer was eventually won only with the discontinuation of Flash. There’s some systems still running it, but it isn’t on enough consumer machines to make the use of it feasible or profitable.

Advertising networks have also gotten better in checking what’s running on their systems, with automated detection looking for bad ads - but that’s a different story.

Because while we got rid of Flash, understood to be a security nightmare partly because it’s 3rd party code running on your website, we now have HTML5 advertisements, which are… 3rd party codes running on your website.

And so it goes.