Software developer Flight Sim Labs is in hot water after acknowledging that it installed a password harvester for the Google Chrome browser in its flight simulator product. The company explained it was only targeting pirate users of its software, but critics are calling the tactics “dirty”.
The issue came to a head on Sunday when a Reddit user said that after downloading Flight Sim Labs’ Airbus A320-X add-on package for a their desktop flight simulator software, the add-on was “flagged up by various antivirus products” as malicious.
Flight Sim Labs makes premium add-ons for Microsoft Flight Simulator X and Lockheed Martin’s Prepar3D software with prices starting at around $100 each.
Upon further investigation, the Reddit user found a “test.exe” update file included on the add-on’s installer that acted as a command-line tool.
The tool turned out to be from a company SecurityXploded and is called Chrome Password Dump. As the name suggests, the program is designed to automatically detect and extract all default passwords embedded in Google’s Chrome browser.
The file seemed out of the norm on software for Flight Sim Labs, which is a company specializing in various add-on services for desktop flight simulator platforms.
Lefteris Kalamaras, founder of Flight Sim Labs, responded to the discovery on Monday, stating in a blog post that the file “test.exe” is installed as part of the company’s digital rights management (DRM) efforts and helps alert the company when pirates have installed the add-on package.
Kalamaras said that the company is using a specific method against specific serial numbers that have been identified as pirate copies. He said when a specific pirate copy serial number is used, Flight Sim Labs is alerted.
Kalamaras said in the post that allegations that the software has “indiscriminately” dumped passwords are untrue, and that the malware only targets specific pirate copies of copyrighted software obtained illegally. Furthermore, said Kalamaras, the program is only extracted temporarily and “is never under any circumstances used in legitimate copies of the product.”
“If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us,” said Kalamaras in the post. “The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers).”
In a follow up statement, Kalamaras said that he understands that the measures “might be considered to be a bit heavy handed on our part,” and because of that the company has uploaded an updated installer that does not include the DRM check file in question.
Despite the updates, security researchers were raising their eyebrows on Tuesday about the legal and ethical boundaries that Flight Sim Labs was pushing.
— Aida Akl (@aidaakl) February 20, 2018
This feels very dirty: https://t.co/iizJwnbC4F
— Troy Hunt (@troyhunt) February 19, 2018
Cybersecurity company Fidus Information Security confirmed that the password dumping tool is “only called when a fraudulent serial is used,” but still expressed around the ethics of the practice.
“Whilst we fully understand the importance of DRM and combating piracy, it poses the question on how ethical some companies are being in doing so along with the legal and infosec implications of it,” the company said in a statement.