When is a game not a game? When you never win.
For years, virtualization software maker Parallels offered the chance to win a free product keys if you “stump the KeyGenie,” a virtual robot which users can play against. Normally, users must buy a product key to run the software beyond its two-week free trial. But if you can make it through five questions without the robot guessing what you’re thinking, the robot says a key “may be yours.”
But it turns out it’s an impossibility.
Security researcher John Wethington alerted gpgmail to the KeyGenie game, more than a year after he told Parallels that the game was impossible to win. He examined at the source code of the webpage to see how it worked. He quickly found that no matter what a user does, the code never allows a user to win a free product key.
“It’s to get people to sign up for a trial by pretending to give them a chance at a free license,” he said. “But the source code proves it never will.”
We asked three security researchers to independently verify our findings. Spoiler alert: they did.
Yonathan Klijnsma, a threat researcher at cyberthreat intelligence firm RiskIQ, looked at the code and found that the robot’s responses were hardcoded.
“There’s never any product key,” he told gpgmail. “You have that winning screen but there’s never a product key on the page,” he said. “You can trigger the case for getting a key but there is no way to get to it.”
Though it’s possible to trick the game into thinking you’ve won, nothing happens — and no key is ever awarded.
“It’s a bunch of hardcoded if-else statements that just take you to the same widget in the end,” said Edwin Foudil, a security researcher who also performed a cursory review of the site. And Baptiste Robert, who’s known for finding security vulnerabilities in apps and websites, said his own checks show nothing is ever pulled from the server after the user wins, suggesting the winner is never served a product key.
“It seems to be a fake game,” said Robert.
We contacted Parallels prior to publication but spokesperson John Uppendahl did not comment. If that changes, we’ll update.
The KeyGenie site was born more than five years ago after Parallels found its popular desktop emulation software was regularly falling victim to software piracy. Hackers would crack the software’s product key algorithm, then build and share their product key generators — known as keygens — on file-sharing sites. Quickly, these keygens floated to the top of search engines, making user piracy even easier.
Parallels built the aptly named “KeyGenie” game so it would rise to the top of search results and replace the illegal keygen search results.
One of Parallels’ marketing agencies at the time published a blog post claims that KeyGenie “will actually hand out keys,” and that the game was “programmed randomly.” The post, published seven months later, “generated dozens of trials” and “four-figures in revenue.”
The Federal Trade Commission, which regulates potentially deceptive advertising and marketing, did not comment outside business hours.