My question was rhetorical and intended to point out that granting an exception for 'good' software to do a bad thing is just allowing bad actor to do the bad thing.
Then, when the exception has to be revoked, the backlash is massive. Look up the recent example of the driver FanControl used to issue SMBus commands being blacklisted.
I was pointing out that keystroke injection is already the norm. The exception is banning it for some software.
It has been the norm since we first started automating processes designed more for people than automation. It will remain the norm for as long as that exists.
Ehh. The only structural gap from a local password logger to a universal account takeover is whether you’re receptive to nice men who explain that they’d like you to send them a “log file”. Working on a user’s behalf has to include protecting them from security holes they might not expect.
