msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Beware: FileZilla Doesn’t Protect Your Passwords

   01 Sep 09   Filed in Tips and Tricks

2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.

The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners.  As a result, we see rapid growth in number of compromised websites.

There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs.  Let me show how easy it can be done.

FileZilla

Lets take a very popular free FTP client called FileZilla. For this experiment, I downloaded and installed the latest version 3.2.7.1.

Adding new site

Then I added a fictitious site “example.com” with username “unmask” and password “parasites“. Logontype is “Normal” – this is probably the most popular type since it allows one-click connection and doesn’t require that you enter username/password every time. Then I clicked OK to save the new settings.

Adding new site

FileZilla configuration files

FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

FileZilla configuration files

sitemanager.xml

XML files are human readable. This is what I discovered in the sitemanager.xml file right after I added a new site to FileZilla.

sitemanager.xml

As you can see, everything is stored in plain text, including the password.

filezilla.xml

When I tried to connect to “example.com”, FileZilla added the following <LastServer> section to filezilla.xml. Again, everything in plain text.

filezilla.xml

Quick connect

FileZilla has a quickconnect bar that allows you to connect to servers without adding them to the Site Manager.  When I used it, similar information was added to recentservers.xml (needless to say, unencrypted).

Anyone wants my passwords?

As you can see, any program on your computer, legitimate and malicious, can read this information. Moreover, any person who have access (even for a couple of minutes only) to your computer, can easily steal your FTP credentials. And there are known trojans that do steal personal information from configuration data of popular programs (thanks Alec Waters who sent me this link).

Did you know this? Can you trust every program on your computer? Have you recently had malware issues? What about spyware that your anti-virus failed to detect (no program is perfect)?

This is “by design”

At FileZilla they clearly state that they don’t want to encrypt or hide your sensitive information:

This is by design, it is the task of the operating system to protect your private data.

Probably they are right. Unfortunately, there is no such thing as 100% secure operating system. And in case of Windows, where viruses and spyware are not that rare, I would be very concerned if I knew that my data is protected by the operating system only.

I know, that encrypting passwords is not a good solution either. Malware authors can reverse-engineer FTP clients and extract the decryption algorithm (in case of open source programs they only need to read the source code). So encryption can’t stop malware from stealing FTP credentials. It can only save you from eyes of strangers who have access to your computer.

The protection can only be sufficiently strong if users are required to enter their “master password” every time they open the program (like in KeePass). However this approach makes the convenience of storing FTP passwords in FTP clients questionable – you still have to remember and enter some password on every use. That’s why it is not used in FTP programs (that I know of).

The flaw in the design

So I agree with FileZilla. It is sensible to store FTP credential in plain text when you choose the “Normal” logon type. But only if users are aware of the risks.

The problem is the majority of FTP programs’ users trust their software and never think about how their private information is handled and if there are any security risks associated with the way they use the software. And as you now know the risks are real and substantial! There is a flaw in the design if it lets people feel secure when they are not.

How about the following change of the design? The “Normal” logon type can be renamed to “Normal (insecure)“. And when users choose this type, they see a warning saying that their FTP credentials will be saved in plain text and can be easily stolen if the computer’s security is compromised.  And the Quickconnect toolbar should never save passwords. If there is a need to save the “quick connection”, why not offer to add it to the Site Manager?

I believe, the impact of these small changes would be significant. One-click FTP connections are very convenient. But, as always, the convenience comes at a price. And if webmasters know this price, they will be more prepared to deal with potential security problems.

Using FileZilla the safe way

FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:

1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.

Pros

  • Malware cannot steal your FTP credential from configuration files.

Cons

  • You’ll have to enter your password every time you connect to your site.
  • It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).

2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).

For example you have a site “example.com” with an IP-address “208.77.188.166″. To create an alias you need to add the following line into the hosts file:

208.77.188.166         my_example

my_example” will work the same way as “example.com” when you use it on your computer.  However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”.  If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.

Pros

  • Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.

Cons

  • This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim).  If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless.  This trick is better than no protection at all, but you should not count on it.
  • You’ll need to update the hosts file if IP-addresses change.

3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.

Pros

  • Secure one-click connections.

Cons

  • This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.
  • Creating the keys and configuring FileZilla to use them is not a trivial process.
  • You might still have to enter a pass phrase when adding keys to the Pageant.

Other FTP programs

In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other  programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.

Be proactive

Now ask yourself a few questions. Do you know where and how your FTP client stores your passwords? Will they be safe if a malicious program program penetrates into your computer? Do you know how to protect your FTP credentials?

If you’ve recently had malware issues with your computer or just suspect that your systems is infected or contains programs from untrusted sources, it’s time to change all passwords and scan your websites for malicious content that hackers might have already uploaded there (my Unmask Parasites online tool is a good starting point as it helps detect hidden illicit content in your web page).

Thanks for reading this rather long post. I hope it was worth  it. Do you have anything to add? Any other security concerns associated with FTP programs? Any tricks to keep your FTP credentials secure? Your comments are welcome.

Similar posts:

Reader's Comments (39)

  1. |

    [...] FileZillaですが・・・ Beware: FileZilla Doesn’t Protect Your Passwords 斜め読みしただけですが、ID/PASSを [...]

  2. |

    I recntly switched from FTP to SFTP for this reason, using FTPVoyager.

    I’ve noticed that the connection seems to time out quite quickly, whereas with FTP it never died if inactive for very long periods. As I cannot find a config setting for connections timeouts I assume it’s some feature of SFTP.

    • |

      This same type of compromise could very easily occur with software that stores your SFTP login as well. It is only luck, that at that this time the malware authors are not attacking this channel.

  3. |

    What!?. Also QuickConnect saves passwords into recentservers.xml?. You are kiding me right?

    • |

      Just double-checked. Here’s what I get the next moment I pressed “quickconnet”:


      <RecentServers>
      <Server>
      <Host>example.com</Host>
      <Port>21</Port>
      <Protocol>0</Protocol>
      <Type>0</Type>
      <User>test</User>
      <Pass>quickconnect</Pass>
      <Logontype>1</Logontype>
      <TimezoneOffset>0</TimezoneOffset>
      <PasvMode>MODE_DEFAULT</PasvMode>
      <MaximumMultipleConnections>0</MaximumMultipleConnections>
      <EncodingType>Auto</EncodingType>
      <BypassProxy>0</BypassProxy>
      </Server>
      </RecentServers>

      • |

        I still can’t belive. This means that i have multiple accounts compromised.

        • |

          Just check your configuration files.

          I used the latest version with all defaults. I know, there are modes, where passwords are not saved, but used the default mode since it’s what most webmasters use.

          • |

            I don’t have windows now. And don’t want to install it on linux. I use FileZilla mostly from public computers or my friends computer or my family computers. I always use quickconnect becuase i was beliving it doesn’t store passwords anywhere.

            Will change all my passwords now, and check it later.

          • |

            If you don’t enter a password in the “Quickconnect” bar, FileZilla will ask for the password when you connect. But in this case, the password won’t be saved in the recentservers.xml file.

            This way you can use the quickconnect toolbar from public computers.

          • |

            Good to know, but still this is counter intuitive.

  4. |

    This is alarmist scare mongering. You can’t encrypt your password and allow a quick connect. If FileZilla is to be able to read your password without you having to enter anything, then it’s possible for any programme running on your OS. They should just store the password in rot13 to stop alarmist attention seekers like this post. It’s just as secure as a passwordless login.

    Statements like “Unfortunately, there is no such thing as 100% secure operating system. And in case of Windows, where viruses and spyware are not that rare, I would be very concerned if I knew that my data is protected by the operating system only.” are misleading. No OS is 100% sure, but Windows is catastropically *insecure*. Try Ubuntu, which is immensely more secure than Windows. To claim it’s not 100% secure is misleading. For all intents and purposes here for a normal user, Ubuntu is 100% secure.

    If you are that worried about security, then don’t use FTP, which is a horrifically insecure protocal as it is. If you’re one FTP, not SFTP, then all passwords are sent in the clear as it is. If you’re on a wifi network with someone else they can read your FTP password already.

    • |

      Rory,

      It looks like you didn’t bother yourself to read the whole article.

      It says, it’s quit OK to store passwords in plain text as encrypted passwords won’t make the whole thing more secure. But users should know that if they want quick connects, FileZilla won’t protect their passwords. And if their computer gets infected (this happens to many webmasters), their FTP credentials can be easily stolen.

      • |

        But honestly, if you’re going to blast your username/password pair in clear text across the NETWORK, who gives a flip if it’s stored in a file on your hard drive?

        The problem isn’t FileZilla, it’s FTP.

  5. |

    Even if you store passwords for the proxy-user, it’s listed in XML files as clear text.
    It’s needless to say, but this is only an issue on Windows systems.

    Filezilla is an open source product, based on the security of *nix systems.
    It’s not natural that any other person/program besides you should be able to read ANY data in your home folder.

    • |

      Unfortunately, millions of webmasters work on Windows where the risk of malware infections is high. And many of them never think about how FTP programs handle their passwords. As a result, hundreds of thousands hacked websites.

      • |

        I know, and this doesn’t only count for webmasters, but also for system administrators.

        I had this issue reported at work a few months ago to the head of sys-admins.
        (about filezilla storing the proxy pass & username in the xml file as cleartext)

        It was ‘no big deal’ …

        So people getting their site’s hacked by this, deserver it!

        I mean it… If you don’t know or control where your passwords go, nothing can seve you, not even RSA/DSA keys and encrypted keychains.

        Serious…

  6. |

    It is shaping up to be 2009: The year of malware. I have posted on my blog steps to help prevent Gumblar/Martuz here
    http://blog.igothacked.com/2009/06/steps-to-prevent-gumblar-martuz-nine.html

  7. |

    [...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]

  8. |

    It’s not rocket science to protect passwords in code: http://msdn.microsoft.com/en-us/library/ms995355.aspx – describes the Microsoft DPAPI (Data Protection API). You can quickly and easily encrypt data using either a user-related key, or a system-related key.
    Even if you can see the source code, you don’t have access to the DPAPI key. Even if you download the XML file with the encrypted password, you don’t have access to the DPAPI key.
    [If you're stuck with code that can't be modified, either because it's not open source, or because you're not a developer, there's the prospect of using EFS to encrypt the directory containing your configuration files. Not perfect, for sure, but it's one way to keep those XML files from being readable by others.]
    And, because it’s my common complaint, why aren’t people using FTPS? It’s a documented standard (unlike SFTP), it uses SSL and existing X.509 certificate infrastructure (unlike SFTP), it works exactly like FTP but secured (unlike SFTP), and you can use passwords or certificates to authenticate as the client user (at the same time as authenticating that the server is the right one). FTPS avoids the sniffing issues associated with plain-text FTP, as SFTP does, but it requires less new learning than SFTP, if you’re already familiar with FTP.

  9. |

    [...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]

  10. |

    Mulitple websites compromised and infected. New version of Gumblar type malware infection. Worst thing is Google is now listing all infected sites as may being harmful to your computer. Which is true to be fair but thats going to be a pain to get the sites credibility back. I “assumed” that Filezilla encrypted that information. But as the saying goes “Dont assume – it’ll only make an ASS out of U and ME!

  11. |

    Thanks very much for this article, which is valuable to me as a not-very-technical person, for being comprehensible and including practical advice I can immediately follow. My web pages were recently h(ij)acked and flagged as unsafe by Google (the shame …). My provider made no response to my request for advice. I’ve now taken everything down and need to get safe before I reconstruct it. Can’t be sure that the vulnerabilty is with Filezilla, which I’ve used for a year or so, but will now change the transfer setting, and then look into other methods altogether.

  12. |

    [...] infected Windows computer. The test proved that malware steals passwords saved in FTP programs (FileZilla in that [...]

  13. |

    I recently migrated to coreftp for my laptop and usb stick for this very reason. (Hint: use -flash option so that it stores info in a text file and not registry.) coreftp indeed does encrypt the password. It also has some other nice security features. The LE version is free (but not open source).

  14. |

    [...] quickconnect bar doesn’t save the password if you don’t type it in the bar (source: comment by Denis “If you don’t enter a password in the “Quickconnect” bar, [...]

  15. |

    [...] think are safe are not really safe at all. I was shocked to find out that my favorite FTP client, FileZilla, does not protect your passwords. In fact, many FTP clients don’t protect your passwords. I believe this also includes the [...]

  16. |

    [...] preluat de pe unmaskparasites.com var $j = jQuery.noConflict(); $j(function() { $j("#get-article-code").css({opacity: 0}).hide(); [...]

  17. |

    The solution to this issue that I use is to use KeePass to store all the FTP connection details. KeePass can be automated to launch FileZilla and log in to the FTP account. Here’s how I set it up:
    An alternative to storing passwords in FileZilla

    Cheers,
    Aidan

  18. |

    [...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]

  19. |

    Try this one:
    http://www.evrim-sen.com/html/filezilla-password-protection.htm

  20. |

    Just use Filezilla Portable via portableapps.com it’s secure as it’s portable and doesnt save any data on PC

  21. |

    Similar thing happened to me. An infected computer sent out Filezilla’s plain text password file to a server where it was used to log in and infect all HTML and PHP files on my site.

    Note, you are NOT SAFE WITH SFTP with Filezilla if you get Filezilla to hold the password as it will still be available in an unencrypted file!

    The solution is to use sftp with NO password and to use a SSH key; then simply load your private key into a key manager such as pageant. You can automatically and securely log in without needing to type in a password.

  22. |

    I was trialling filezilla and configured 4 sites in the site manager. My PC was subsequently infected with a trojan (it happens) and all four sites were hacked and destroyed. All my other sites used WSFTP which has password encryption. None were hacked. Avoid using filezilla if you are using Windows in any form.

  23. |

    [...] Hence, even if the connection is securely encrypted with FTP over SSL, the stored FTP logins is easily obtained should the machine become infected with [...]

  24. |

    For one I know that HostGator offers SSH and SFTP on their shared hosting and I use it all the time to protect my logins from being sniffed over the network.

    It would have been nice if you had extended the article and included some good FTP clients that do encrypt the password.

    Thanks

  25. |

    [...] Beware: FileZilla Doesn’t Protect Your Passwords Share this:DiggFacebookRedditStumbleUponTwitterLike this:LikeBe the first to like this post. Categories: Anti-virus and Anti-malware Tags: Malwarebytes, phishing, spam, Trojan.Zbot.CBCGen, USAA Comments (5) Trackbacks (0) Leave a comment Trackback [...]

  26. |

    I think this post would be more accurate if it were called, “Beware: 90% of the Programs You Use Don’t Protect Your Passwords”.

    The intro to the post makes it sound like all these sites are getting hacked because of Filezilla, but most of the hackings have nothing to do with Filezilla. It usually happens because of outdated content management software running on remote servers.

    Filezilla is a great program, and there is nothing wrong with what it does. The only danger with the XML file is if someone steals your laptop. That is why laptop hard drives should be encrypted…

  27. |

    Well this was a little disconcerting to read. I’m going to get Filezilla Portable – thanks Arthur!