Gamers are accusing a company that makes mods for Microsoft's Flight Simulator X game of putting a password stealer inside one of its add-ons.
The company defended its decision by saying the tool works as part of a Digital Rights Management (DRM) platform and only activates when users are using a pirated copy of their mod.
The company at the heart of this controversy is Flight Sim Labs, and the mod that got everyone talking is A320-X, a $100 add-on for Microsoft's Flight Simulator X that allows users to pilot Airbus A320 airplanes.
According to a Reddit user named crankyrecursion, the recent version of this mod (FSLabs_A320X_P3D_v22.214.171.124.exe) included a file named test.exe that was a renamed version of an application named "Chrome Password Dump," sold by SecurityXploded.
This tool is a command-line application that extracts passwords from Chrome's internal database, as advertised by SecurityXploded and verified by many users, such as Luke Gorman and the team at Fidus Security.
The presence of such tool in a game mod alarmed users, most fearing the mod maker might have been hacked, and someone hid the tool inside the mod's installer, hoping nobody would notice.
But instead of denouncing any claims of getting hacked, things took a weird turn when Lefteris Kalamaras, the mod-making company's CEO, accused the Reddit user of being a pirate.
According to a post on the company's support forums, Kalamaras explained that the Chrome Password Dump tool was added to the A320-X mod intentionally.
Kalamaras says the test.exe file only runs when the user is trying to activate the mod with a license key known to be associated with pirated copies of the add-on.
" First of all - there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products," Kalamaras says [emphasis preserved].
"There is a specific method used against specific serial numbers that have been identified as pirate copies and have been making the rounds on ThePirateBay, RuTracker and other such malicious sites," Kalamaras adds. "If such a specific serial number is used by a pirate (a person who has illegally obtained our software) and the installer verifies this against the pirate serial numbers stored in our server database, it takes specific measures to alert us."
Kalamaras then goes on to call this Chrome password dumper app a DRM, although one of the strangest one we've ever seen.
" 'Test.exe' is part of the DRM and is only targeted against specific pirate copies of copyrighted software obtained illegally. That program is only extracted temporarily and is never under any circumstances used in legitimate copies of the product. The only reason why this file would be detected after the installation completes is only if it was used with a pirate serial number (not blacklisted numbers)," he says.
"This method has already successfully provided information that we're going to use in our ongoing legal battles against such criminals," Kalamaras says.
Dropping a password dumping tool on all your customers' computers is by far the strangest DRM anyone has ever heard of.
While Kalamaras may be right that the test.exe file will not execute for users who purchased a legitimate copy of the mod, the tool is still there, on users' computers, and could be accidentally triggered by the user himself.
Kalamaras' DRM explanation didn't appease users, but quite the contrary. Eventually, the company issued an update for A320-X today that removed the password stealer.
The company may now be in trouble with law enforcement, as it illegally collected data from users' computers without their agreement or under a warrant.
For a company that charges $100 for a mod —more than the standard $60 price for AAA games, ou would think a better DRM system would have been created.
UPDATE [January 20]: In a new update on the company's forums, Kalamaras clarified that his company included the password stealer inside the mod so they could steal passwords from one person alone, a proficient pirate.