Personal webmastering advice : Filezilla means high risk, it contains a gigantic security hole !

1 Star2 Stars3 Stars4 Stars5 Stars (11 votes, average: 4.45 out of 5)
Loading...
By Oliver (AKA the Admin) on 33 comments
in Categories: Just Talking

I am truly disappointed in the Filezilla admins' behaviour

It saddens me quite a bit to have to write it, but, as a webmaster, I think I have to give this advice : if you too you use Filezilla, this is a WRONG choice.
Give up on it, and find an alternative :(

In short : Filezilla = MASSIVE security hole.

I’m explaining with more details below :(

Quite simply, Filezilla stores your usernames and passwords in plain text in an unprotected file, for both FTP and SFTP.

No master password, no obfuscation, no salt, no database storage, no – nothing.
On windows 7, this is in c:\users\username\AppData\Roaming\FileZilla\sitemanager.xml

Uninstall the program, the text file will still remain in there.

This was SO incredible, when I found out, I was shocked. To me, it was “evidently obvious” this would be protected.

Look, would you forgive your internet browser (Firefox, Chrome, IE, Opera, Safari…) or your email client (Thunderbird, Outlook Express…) if they were storing your passwords in plain exploitable text ? Not even “would you forgive” : could you forgive ?
Definitely not.

And yet, the developers of Filezilla have made the unmovable choice to keep the passwords in the clear, available for anyone (see a discussion in which all sound pleas were rejected). Their argument is quite simple : protecting passwords is the user’s responsibility, and if you’re an elite experienced professional having full control and full knowledge, you don’t risk anything.

And if we’re not that perfect professional, but just a random person ?
You have no right to screw up. At all.
Nothing is done at all to reduce the amount of harm you’re exposed to if you screw up : fuck you lame newb with human defects.
Errr…

So, the day you’re fucked because someone managed to access your machine (remotely, or a roommate who carelessly downloads suspicious pornmovie.exe files while you forgot to log off from your machine before leaving, or… anything, simply discovering an unidentified spyware has contaminated your machine is enough), this means that, as an added bonus, «merry surprise motherfucker !», all your sites are equally compromised as well, they could have been accessed behind your back.

If your FTP account is copied, anyone can upload/edit/delete/download files to your server.
If this is an SFTP account, then the person who copied your plain text username and password is now root on your server, full admin, and your machine can become another zombie, distribute CP, spam the world, or serve to copy commercial/banking data, serve websites while you had no idea it did, or any other sicker shit.

There would be two solutions :
– still use Filezilla but
> NOT allow the program to remember any password (impossible for me, I have passwords that are a pain to write and practically impossible to remember)
> Use a third-party program like Keepass to securely store your passwords and copy-paste them from keepass, and then paste them in the connexion dialog in Filezilla (still a pain in the ass, lots of time would be lost because of it, having to copy-paste the credentials every time)
– give up on this genious program ruined by ayatollah-like elitist security opinions, and opt for other programs that protect your credentials, like Winscp or Bitkinex. (Sorry, no idea for Macs and Unix/Linux machines, you may leave comments with recommendations if you like).

Subscribe
Notify of
guest

33 Comments
oldest
newest most voted
Inline Feedbacks
View all comments
Anon
Anon
10 years ago

Holy balls that's idiotic.

HurpDurp
HurpDurp
10 years ago

A CuteFTP is fine too.

What's that you say? It costs money? Haha, surely you jest.

Oliver AKA The Admin
Admin
10 years ago
Reply to  HurpDurp

it costs money

HurpDurp
HurpDurp
10 years ago

>What's that you say? It costs money? Haha, surely you jest.

———
———
10 years ago

I always used FTPRush, and I really like it.

FTPRush doesn't store anything in plain text (as far I know)

???
???
10 years ago

…So I decided to actually look for this particular file on my Mac (since I've used FZ), and I couldn't find it. At all. The app has no Application Support folders (which it would need if it were calling , and the package contents (which is basically the innards of the program on Mac OS X, which includes the executable code) had only a couple XML files, none of them related to the site manager aspect of the app (perhaps other than UI information, no actual data itself). Spotlight shows no results. It is within the realm of possibility that this file does exist, but it's likely that I need to know the exact folder it's in, and honestly that's considered obfuscation (since that means the folder is hidden from Finder).

Given that the forum post you mentioned was made 6 years ago, it's very possible they've fixed it since then. Or this "fix" is limited to Macs/Linux. But I don't think you should completely discourage use of it on Macs. Just Windows, and Windows has always been messier than a tentacle orgy.

HurpDurp
HurpDurp
10 years ago
Reply to  ???

It's not fixed, I recently installed Filezilla and was able to find it on my computer 2 seconds after Oliver made this post.

It's in a hidden folder in Windows, so that's likely the case on Mac as well.

???
???
10 years ago
Reply to  HurpDurp

Well, there's the thing right there:
A. It's a HIDDEN folder
B. With Macs, you cannot make hidden folders visible like you can in Windows (the latter a big security flaw if ever there was one). It's impossible. Thus, you have to explicitly know the name and path of the folder you want to get at to get to it. That's obfuscation, so you're pretty safe, all things considered.
Again, the problem is a Windows problem. Stop treating a Windows problem like it applies to everyone, especially if you have no clue how Mac OS X functions.

HurpDurp
HurpDurp
10 years ago
Reply to  ???

…How is that a security flaw? I'd much prefer knowing something I downloaded didn't come with a hidden file in it. NOT being able to see that is a security flaw imo.

Denamic
Denamic
10 years ago

But storing passwords in plain text in plain sight is the safest option! It's hiding in plain sight, like a leaf in the forest. No one would suspect a thing when there's all those other files around.

CooMooFarm
CooMooFarm
10 years ago

I just use SSH keys, don't need to remember passwords for sites that use it.

I had switched to WinSCP for other reasons however.

oldbrokenhands
oldbrokenhands
10 years ago

Wonder what protections FZs legal department has in place. It seems it's just a matter of time before they face litigation.

Moon mam
Moon mam
10 years ago

So as long as I don't download the program I'm fine

Moon mam
Moon mam
10 years ago

O and does it apply when I download stuff from this site and others like it

mvee
mvee
10 years ago

I use xampp and checked out my filezilla settings and looked at my passwords.. they're all in some sort of jumble and not in plain text..
maybe this issue was already fixed? I know that I had 1 hacking attempt on my server and they were immediately kicked and banned (i have the 10 attempt limit then permaban)

and it seems that the thread mentioned is old and probalby outdated by now.. but that's just my look at the server settings xml file.

HurpDurp
HurpDurp
10 years ago
Reply to  mvee

> maybe this issue was already fixed?
Nope, just tested it myself.

zmaj
zmaj
10 years ago

ahhhh yeah… I've exploited this feature and a similar one for Mozilla. Mainly because I forgot what my ftp passwords were and I'd use it to remember (these are non-critical ftp access) but a security flaw nonetheless.
There are 2 instances when I used these against other people. Once, as a test, i made a batch program that ran in the background when I put my flashdrive in another computer which copies out the filezilla directory. I did this on one of my good friends and stole his school password, which would have let me access his school information, grades, assignments, etc.
Another time, by chance my prof made a mistake uploading an assignment and when I raised this with him, he asked if I had filezilla. He used my laptop, and filezilla's quick access to make the changes in the file share. Incidentally, I now had the saved credentials and could check them through this file, or just reuse the quick login. I was able to look at class grades (though I didn't exploit this, just browsed).
If you're curious about the mozilla thing, firefox lets you save passwords for various sites and it encrypts these into a login credentials file. You have the option of passwording this master list, but I think most regular users don't use this. In anycase, you can't actually look at the file like filezilla, but there's nothing stopping you from importing it directly into your own copy of mozilla. Mozilla lets you transfer your user data to other computers, or when you're re-installing it. It's just a simple matter of coping the credentials file and importing it to use them again. After it's imported, you can view them unencrypted.

RobertDJ
RobertDJ
10 years ago

Try Gene6 FTP, I personally think it's the best ftp hosting application out there. Lots of highly advanced options, protection all around.

Anonymous2
Anonymous2
10 years ago

use FireFTP if you use Firefox… just a little plugin!

AV_
AV_
10 years ago

WRONG!!!!!!!!!!! It's NOT a SECURITY HOLE. Let me check:
-obfuscation: useless, if you can obfuscate you can easily deobfuscate.
-salt: do you know what a salt is used for?
-database storage: even if it's in a database it's trivial to extract it
-master password:well, that could work but if you don't use it or if you can't it's a obvious problem of filezilla but it's not hidden either so…

The point it has to be in plain text or similar, even the password of firefox, chrome,…. are in a simple DB, easy to retriever if you don't set a master pw and almost anyone use it…
It's not difficult to understand, if any program remember your password, it has to store it somewhere and nothing stops another program to access that location and see that password.

Yvan
Yvan
10 years ago

“If this is an SFTP account, then the person who copied your plain text username and password is now root on your server”
No he isn’t, SFTP has nothing to do with being root…unless you are using password authentication as root, and using that account to access files(AND save the credentials), but then you are already traveling on the failtrain with max speed, this won’t change much. :)

By the way if any attacker reached the stage where he can read/write files in your user profile, you are already screwed.

twahttjiowa
twahttjiowa
10 years ago

Chrome saves passwords in plain text too. Opera offers masterpassword with password file encryption but only to version 12.

For FTP the best option is FlashFXP

HurpDurp
HurpDurp
10 years ago
Reply to  twahttjiowa

>Chrome saves passwords in plain text too.
No it doesn't.

"C:Users[yourusername]AppDataLocalGoogleChromeUser DataDefaultLogin Data" The passwords are no visible on this file.

a nonny mouse
a nonny mouse
10 years ago
Reply to  HurpDurp

settings->show advanced settings-> passwords and forms-> managed saved passwords-> click on a password and click 'show'

it's not plain text, but it's pretty much in plain view for anyone that could be using your computer. It would be nice if there was at least some sort of master password to protect the saved passwords in chrome, like there is (was? I don't use firefox anymore) in mozilla. I still use chrome though, I just memorize all my passwords.

HurpDurp
HurpDurp
10 years ago
Reply to  a nonny mouse

That's not the same thing at all.

@Ganonmaster
10 years ago

I would recommend Cyberduck for both Windows and Mac. It supports password encryption and on Mac it integrates with the system wide Keychain manager. If you want a little more eyecandy and are willing to pay for it, there's also Transmit for Mac, which will set you back about $35.

"If this is an SFTP account, then the person who copied your plain text username and password is now root on your server […]"
What Yvan posted is right. SFTP has nothing to do with being root. The difference between SFTP and FTP is that SFTP accounts, besides filesystem access, also have shell access. The amount of things they can do and the folders they have access to are determined by the permissions that the user has. If you just want basic uploading over SFTP, use an account that isn't root and make sure that the root account has a different password. It's more secure that way. Using root to take care of everything is a bad habit and you need to stop doing it.

"And if we’re not that perfect professional, but just a random person ? You have no right to screw up. At all. Nothing is done at all to reduce the amount of harm you’re exposed to if you screw up : fuck you lame newb with human defects."

While it's a pretty glaring issues, honestly, I can definitely see where these devs are coming from. People cry wolf, complain about domestic security, protecting their house and family from criminals, install extra locks, but don't stop to think for one second when it comes to their behaviours online, while that's where the majority of their valuables are these days. Banking information, mail, photo albums and many other previously tangible things, now exist exclusively on the internet, and people think that securing these things is not something they should worry about. To them, security should happen magically. Software should be inherently secure! We both know that your house isn't criminal proof, so your computer can't be either. That's why you take extra precautions yourself. Put valuable jewels and documents in a safe, extra locks on the door and don't leave any windows open when you leave the house. Same thing should be valid for your computer. You have to secure it yourself. You don't know how to secure your computer? You have access to the internet. You can look all this information up. There is no excuse for ignorance. Encrypt your disks, lock your device when you're not using it, keep your virus scanner, browsers and plugins up to date and avoid downloading or running any programs you do not recognise or trust. Basic stuff. You are just as much responsible for protecting your private information as the developers of the software. (and in my opinion even more than they are) And if the software they make isn't secure enough for you, there's usually an alternative that is.

Even if you implement some kind of security, it won't help you if your computer is compromised. FileZilla is open source. You will be able to see how they encrypt or obfuscate the file and could easily reverse the process to get it back. Believe me, if hackers would want to get to your encrypted sitemanager.xml that badly, they could. The developer recommends to set FileZilla to "always ask for passwords", because he knows, that once you start adding extra security to the file, it becomes an endless battle with people trying to break its encryption. There are tools for recovering "encrypted" passwords for every major FTP client out there. It's a fight the Filezilla guys just don't want to be involved in as it wastes everyone's time and in the long run, doesn't really add any security. Your best bet is making sure your computer doesn't get compromised in the first place. And that's not something the Filezilla guys have control over. You do.

derp
derp
10 years ago

Not a security hole, not undocumented, not overlooked. This is intentional design, and the program working as intended.

Any program that stores your credentials for re-transmission HAS to have access to them in plain-text form in some manner. Period.

Applications can try to obfuscate the stored passwords, but they’re there. There is no getting around it, and obfuscation (e.g. *pretending* they’re not there) can actually be HARMFUL, as people are then not as properly careful as they should be.

Pidgin (the IM client) stores it’s passwords in plaintext as well, and has a fairly extensive discussion on why this is actually the LEAST harmful way of storing local credentials here: https://developer.pidgin.im/wiki/PlainTextPasswords

Basically, if you don’t have to enter a password to let the program decrypt your stored passwords, they’re not any better protected.

securrity
securrity
10 years ago

@Ganonmaster: you’re right. 100%

Side note, the best security practice is not storing PWD along account, nor on the PC.

Bank credentials on the PC? NEVER! It’s crazy.

I think Putty does this (doesn’t allow saving USR and PWD by design). But ppl want easy life and security… which can’t be, it’s a conflict.

@Olivier: do you happen to use wifi? Well, you should know that there’s a nice attack that can bruteforce your pwd easily, its widespread on all HW and nobody is fixing it. Search about “reaver wps”, and be horrified… But will you go cabled? ;)

@Ganonmaster
10 years ago
Reply to  securrity

I know bank credentials are not to be stored on your PC. Not sure if I worded it correctly, but my intention was to simply point out that most banks have switched over to digital systems in favor of using paper.

SL-Gundam
SL-Gundam
10 years ago
Reply to  securrity

Thats an attack on WPS. Which is a feature that can be easily disabled on most routers and access points

I never use it anyways so it is always disabled on my hardware

@Ganonmaster
10 years ago
Reply to  SL-Gundam

And that's exactly the point. Turning off WPS is the equivalent of turning off the "remember password" feature in FileZilla. Both are convenience features that potentially put your security at risk.

josh
josh
10 years ago

wow, thanks for that info oliver. Really helps the less tech savvy guys like me.

SL-Gundam
SL-Gundam
10 years ago

I personally use total commander. I checked some time ago where that program stores the passwords for my FTP accounts.

The passwords are stored in an ini file with reversible encryption (obviously). Though it is quite easily possible to move said ini file to another machine and it works without issues. But those test were on a system were the user name and password were the same for the windows account. So the question is whether these passwords are salted or not…. and if they are salted… with what? who knows. At least it is better then FZ