Flight-sim devs say hidden password-dump tool was used to fight pirates [Updated]
The usually staid world of professional-grade flight simulations was rocked by controversy over the weekend, with fans accusing mod developer FlightSimLabs (FSLabs) of distributing "malware" with an add-on package for Lockheed Martin's popular Prepar3d simulation. The developer insists the hidden package was intended as an anti-piracy tool but has removed what it now acknowledges was a "heavy-handed" response to the threat of people stealing its add-on.
The controversy started Sunday when Reddit user crankyrecursion noticed that FSLabs' Airbus A320-X add-on package was setting off his antivirus scanner. FSLabs had already recommended users turn off their antivirus protection when installing the add-on, so this wasn't an isolated issue.
The reason for the warning, as crankyrecursion found, was that the installer seemed to be extracting a "test.exe" file that matched a "Chrome Password Dump" tool that can be found online. As the name implies, that tool appears to extract passwords saved in the Chrome Web browser—not something you'd expect to find in a flight-sim add-on. The fact that the installer necessarily needs to run with enhanced permissions increased the security threat from the "Password Dump."
FSLabs head Lefteris Kalamaras responded to the uproar over the discovery on the company's forums, arguing that the hidden file does not "reveal any sensitive information of any customer who has legitimately purchased our products" (emphasis in original). The file, he insists, is only activated if the installer sees a serial number that matches a database of pirated numbers found floating around on the Internet. "This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals," he wrote.
In a later update, Kalamaras acknowledges that some users were uncomfortable with "this particular method which might be considered to be a bit heavy-handed on our part." The company promptly released a new installer without the test.exe code included.
"Heavy handed" sounds like quite an understatement, though, given what we know. Kalamaras' statement heavily implies that the original installer did, in fact, attempt to obtain password information from users who installed a product they suspected of being pirated (note the specific language that only "legitimate" users didn't have to worry about their sensitive information being revealed). Whatever your feelings on the ethical and practical implications of piracy, this level of extreme countermeasure is practically unheard of in the PC gaming scene.
The overzealous DRM brings to mind EA's use of unremovable and intrusive SecuROM software to protect some of its titles in 2008 and Sony's installation of a system destabilizing rootkit inside audio CDs played on PCs in 2007. Both of those efforts led to multiplelawsuits against the publishers, and those instances didn't even reveal any of the users' personal information.
We've reached out to FlightSimLabs for comment and will update if and when we hear back.
Update 8:48pm ET: In a follow-up message posted late Monday, Kalamaras confirmed that the suspicious tool included with the installer was intended to extract Chrome Web browser information from those using pirated copies of the game. However, he writes, that tool was only activated in the case of one specific pirate who had been identified as creating and distributing illicit registration keys via an offline key generation tool.
"We even went so far as to figure out exactly who the cracker was (we have his name available upon request of any authorities), but unfortunately we could not be able to enter the registration-only websites he was using to provide this information to other pirates," Kalamaras writes. "We found through the IP addresses tracked that the particular cracker had used Chrome to contact our servers, so we decided to capture his information directly—and ONLY his information (obviously, we understand now that people got very upset about this—we're very sorry once again!) as we had a very good idea of what serial number the cracker used in his efforts."
Using this method, Kalamaras writes, the FSLabs team was able to "dump that cracker's information needed for us to gain access to those illicit websites, so we could then forward the information to proper legal authorities." What he and his team found, he writes, was "an entire web of operations" dedicated to pirating multiple flight simulators.
Kalamaras emphasized numerous times in his message that the browser-dumping tool in question "will never execute on your machine" unless you are that one specific, targeted cracker. Nonetheless, he also apologized multiple times for even temporarily placing the inactive tool on users' hard drives during the installation process and said he understood why people felt their trust had been violated. Any legitimate customers can request a full refund from the company.
"We have already replaced the installer in question and can only promise you that we will do everything in our power to rectify the issue with those who feel offended, as well as never use any such heavy-handed approach in the future," he writes. "Once again, we humbly apologize!"]
[contf] [contfnew] 
Ars Technica
[contfnewc] [contfnewc]
