"Spying" on one's own customers is not a new phenomenon. Web browsers have targeted adverts at users based on their search histories since the early days of the internet. Yahoo have long been suspected of monitoring users' emails. Actually going to the lengths of installing malware on customers' computers (without their knowledge) seems to be a step beyond what we are used to seeing.
That, however, is exactly what FlightSimLabs has now admitted.
In a release of a new module (the A320-X), an extra file named "test.exe" was unexpectedly discovered by Reddit user /u/crankyrecursion. On further exploration he or she (in collaboration with other Reddit users) determined that the file was a "Chrome Password Dump" tool. That means it was harvesting saved usernames and passwords (and the corresponding website) from the Google Chrome web browser, and could communicate the data back FlightSimLabs.
In attempting to get ahead of the inevitable negative coverage of the issue in simulation circles, FlightSimLabs were quick to provide a statement attempting to justify their actions. They announced that it was a counter-piracy measure to be targeted at users who had obtained the module illegally from "ThePirateBay, RuTracker or other malicious sites". They stated that while the program was included in all releases (legitimate and otherwise), it would only be activated if a known pirated serial number was detected.
This did not assuage the angry internet mob, and FlightSimLabs have been roundly condemned online for installing password stealing software on to the computers of legitimate customers: whether or not they intended to activate that software. They have defended their position again, releasing a further statement this morning informing users that the file was being used to search for only one pirate, and would be removed in a new patch. The mistrust created by this hidden malware is sure to blemish the reputation of a big player in the flight simulation market.
The entire episode poses several very important questions: -
How far can a company go to protect their software? How far does the liability go if a user's data is stolen by a third party using this piece of malware on his or her system? Is it ethical to install extraneous software (for whatever purpose) without giving a legitimate user the option to opt-out or decline to install the target program entirely?
It is highly improbable that FlightSimLabs are the first company to have installed this type of malware on users' computers, so it will be interesting to see if others are uncovered in the coming days.
If you have any questions on the above, please do not hesitate to contact the team at McDaniel & Co. on 0191 281 4000 or firstname.lastname@example.org.