2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.
The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners. As a result, we see rapid growth in number of compromised websites.
There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs. Let me show how easy it can be done.
Lets take a very popular free FTP client called FileZilla. For this experiment, I downloaded and installed the latest version 18.104.22.168.
Then I added a fictitious site “example.com” with username “unmask” and password “parasites“. Logontype is “Normal” – this is probably the most popular type since it allows one-click connection and doesn’t require that you enter username/password every time. Then I clicked OK to save the new settings.
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.
XML files are human readable. This is what I discovered in the sitemanager.xml file right after I added a new site to FileZilla.
As you can see, everything is stored in plain text, including the password.
When I tried to connect to “example.com”, FileZilla added the following <LastServer> section to filezilla.xml. Again, everything in plain text.
FileZilla has a quickconnect bar that allows you to connect to servers without adding them to the Site Manager. When I used it, similar information was added to recentservers.xml (needless to say, unencrypted).
As you can see, any program on your computer, legitimate and malicious, can read this information. Moreover, any person who have access (even for a couple of minutes only) to your computer, can easily steal your FTP credentials. And there are known trojans that do steal personal information from configuration data of popular programs (thanks Alec Waters who sent me this link).
At FileZilla they clearly state that they don’t want to encrypt or hide your sensitive information:
This is by design, it is the task of the operating system to protect your private data.
Probably they are right. Unfortunately, there is no such thing as 100% secure operating system. And in case of Windows, where viruses and spyware are not that rare, I would be very concerned if I knew that my data is protected by the operating system only.
I know, that encrypting passwords is not a good solution either. Malware authors can reverse-engineer FTP clients and extract the decryption algorithm (in case of open source programs they only need to read the source code). So encryption can’t stop malware from stealing FTP credentials. It can only save you from eyes of strangers who have access to your computer.
The protection can only be sufficiently strong if users are required to enter their “master password” every time they open the program (like in KeePass). However this approach makes the convenience of storing FTP passwords in FTP clients questionable – you still have to remember and enter some password on every use. That’s why it is not used in FTP programs (that I know of).
So I agree with FileZilla. It is sensible to store FTP credential in plain text when you choose the “Normal” logon type. But only if users are aware of the risks.
The problem is the majority of FTP programs’ users trust their software and never think about how their private information is handled and if there are any security risks associated with the way they use the software. And as you now know the risks are real and substantial! There is a flaw in the design if it lets people feel secure when they are not.
How about the following change of the design? The “Normal” logon type can be renamed to “Normal (insecure)“. And when users choose this type, they see a warning saying that their FTP credentials will be saved in plain text and can be easily stolen if the computer’s security is compromised. And the Quickconnect toolbar should never save passwords. If there is a need to save the “quick connection”, why not offer to add it to the Site Manager?
I believe, the impact of these small changes would be significant. One-click FTP connections are very convenient. But, as always, the convenience comes at a price. And if webmasters know this price, they will be more prepared to deal with potential security problems.
FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:
1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.
2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).
For example you have a site “example.com” with an IP-address “22.214.171.124″. To create an alias you need to add the following line into the hosts file:
“my_example” will work the same way as “example.com” when you use it on your computer. However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”. If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.
3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.
In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.
Now ask yourself a few questions. Do you know where and how your FTP client stores your passwords? Will they be safe if a malicious program program penetrates into your computer? Do you know how to protect your FTP credentials?
If you’ve recently had malware issues with your computer or just suspect that your systems is infected or contains programs from untrusted sources, it’s time to change all passwords and scan your websites for malicious content that hackers might have already uploaded there (my Unmask Parasites online tool is a good starting point as it helps detect hidden illicit content in your web page).
Thanks for reading this rather long post. I hope it was worth it. Do you have anything to add? Any other security concerns associated with FTP programs? Any tricks to keep your FTP credentials secure? Your comments are welcome.