Beware: FileZilla Doesn’t Protect Your Passwords
2009 is the year of malware attacks that use stolen FTP credentials to infect legitimate web sites. Hundreds of thousands websites have been hacked this way and suffered from hidden iframe injections, Gumblar, redirections to bogus anti-virus sites, etc.
The success of those attacks is based on the fact that a significant percentage of web surfer are webmasters and site owners themselves. Once a computer of a site owner is infected, malware can steal his/her FTP credentials and use them to make the site distribute malware to unsuspecting visitors, who, in turn, may also be site owners. As a result, we see rapid growth in number of compromised websites.
There are quite a few hypotheses about how cibercriminals steal the credentials: traffic sniffing, using keyloggers, etc. But the most viable is that trojans simply extract everything they need from configuration files of popular FTP programs. Let me show how easy it can be done.
FileZilla
Lets take a very popular free FTP client called FileZilla. For this experiment, I downloaded and installed the latest version 3.2.7.1.
Adding new site
Then I added a fictitious site “example.com” with username “unmask” and password “parasites“. Logontype is “Normal” – this is probably the most popular type since it allows one-click connection and doesn’t require that you enter username/password every time. Then I clicked OK to save the new settings.
FileZilla configuration files
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.
sitemanager.xml
XML files are human readable. This is what I discovered in the sitemanager.xml file right after I added a new site to FileZilla.
As you can see, everything is stored in plain text, including the password.
filezilla.xml
When I tried to connect to “example.com”, FileZilla added the following <LastServer> section to filezilla.xml. Again, everything in plain text.
Quick connect
FileZilla has a quickconnect bar that allows you to connect to servers without adding them to the Site Manager. When I used it, similar information was added to recentservers.xml (needless to say, unencrypted).
Anyone wants my passwords?
As you can see, any program on your computer, legitimate and malicious, can read this information. Moreover, any person who have access (even for a couple of minutes only) to your computer, can easily steal your FTP credentials. And there are known trojans that do steal personal information from configuration data of popular programs (thanks Alec Waters who sent me this link).
Did you know this? Can you trust every program on your computer? Have you recently had malware issues? What about spyware that your anti-virus failed to detect (no program is perfect)?
This is “by design”
At FileZilla they clearly state that they don’t want to encrypt or hide your sensitive information:
This is by design, it is the task of the operating system to protect your private data.
Probably they are right. Unfortunately, there is no such thing as 100% secure operating system. And in case of Windows, where viruses and spyware are not that rare, I would be very concerned if I knew that my data is protected by the operating system only.
I know, that encrypting passwords is not a good solution either. Malware authors can reverse-engineer FTP clients and extract the decryption algorithm (in case of open source programs they only need to read the source code). So encryption can’t stop malware from stealing FTP credentials. It can only save you from eyes of strangers who have access to your computer.
The protection can only be sufficiently strong if users are required to enter their “master password” every time they open the program (like in KeePass). However this approach makes the convenience of storing FTP passwords in FTP clients questionable – you still have to remember and enter some password on every use. That’s why it is not used in FTP programs (that I know of).
The flaw in the design
So I agree with FileZilla. It is sensible to store FTP credential in plain text when you choose the “Normal” logon type. But only if users are aware of the risks.
The problem is the majority of FTP programs’ users trust their software and never think about how their private information is handled and if there are any security risks associated with the way they use the software. And as you now know the risks are real and substantial! There is a flaw in the design if it lets people feel secure when they are not.
How about the following change of the design? The “Normal” logon type can be renamed to “Normal (insecure)“. And when users choose this type, they see a warning saying that their FTP credentials will be saved in plain text and can be easily stolen if the computer’s security is compromised. And the Quickconnect toolbar should never save passwords. If there is a need to save the “quick connection”, why not offer to add it to the Site Manager?
I believe, the impact of these small changes would be significant. One-click FTP connections are very convenient. But, as always, the convenience comes at a price. And if webmasters know this price, they will be more prepared to deal with potential security problems.
Using FileZilla the safe way
FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:
1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.
Pros
- Malware cannot steal your FTP credential from configuration files.
Cons
- You’ll have to enter your password every time you connect to your site.
- It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).
2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).
For example you have a site “example.com” with an IP-address “208.77.188.166″. To create an alias you need to add the following line into the hosts file:
208.77.188.166 my_example
“my_example” will work the same way as “example.com” when you use it on your computer. However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”. If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.
Pros
- Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.
Cons
- This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim). If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless. This trick is better than no protection at all, but you should not count on it.
- You’ll need to update the hosts file if IP-addresses change.
3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.
Pros
- Secure one-click connections.
Cons
- This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.
- Creating the keys and configuring FileZilla to use them is not a trivial process.
- You might still have to enter a pass phrase when adding keys to the Pageant.
Other FTP programs
In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.
Be proactive
Now ask yourself a few questions. Do you know where and how your FTP client stores your passwords? Will they be safe if a malicious program program penetrates into your computer? Do you know how to protect your FTP credentials?
If you’ve recently had malware issues with your computer or just suspect that your systems is infected or contains programs from untrusted sources, it’s time to change all passwords and scan your websites for malicious content that hackers might have already uploaded there (my Unmask Parasites online tool is a good starting point as it helps detect hidden illicit content in your web page).
Thanks for reading this rather long post. I hope it was worth it. Do you have anything to add? Any other security concerns associated with FTP programs? Any tricks to keep your FTP credentials secure? Your comments are welcome.
Similar posts:
Reader's Comments (24)
Leave a Comment
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
[...] FileZillaですが・・・ Beware: FileZilla Doesn’t Protect Your Passwords 斜め読みしただけですが、ID/PASSを [...]
I recntly switched from FTP to SFTP for this reason, using FTPVoyager.
I’ve noticed that the connection seems to time out quite quickly, whereas with FTP it never died if inactive for very long periods. As I cannot find a config setting for connections timeouts I assume it’s some feature of SFTP.
This same type of compromise could very easily occur with software that stores your SFTP login as well. It is only luck, that at that this time the malware authors are not attacking this channel.
What!?. Also QuickConnect saves passwords into recentservers.xml?. You are kiding me right?
Just double-checked. Here’s what I get the next moment I pressed “quickconnet”:
<RecentServers>
<Server>
<Host>example.com</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>test</User>
<Pass>quickconnect</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
</Server>
</RecentServers>
I still can’t belive. This means that i have multiple accounts compromised.
Just check your configuration files.
I used the latest version with all defaults. I know, there are modes, where passwords are not saved, but used the default mode since it’s what most webmasters use.
I don’t have windows now. And don’t want to install it on linux. I use FileZilla mostly from public computers or my friends computer or my family computers. I always use quickconnect becuase i was beliving it doesn’t store passwords anywhere.
Will change all my passwords now, and check it later.
If you don’t enter a password in the “Quickconnect” bar, FileZilla will ask for the password when you connect. But in this case, the password won’t be saved in the recentservers.xml file.
This way you can use the quickconnect toolbar from public computers.
Good to know, but still this is counter intuitive.
This is alarmist scare mongering. You can’t encrypt your password and allow a quick connect. If FileZilla is to be able to read your password without you having to enter anything, then it’s possible for any programme running on your OS. They should just store the password in rot13 to stop alarmist attention seekers like this post. It’s just as secure as a passwordless login.
Statements like “Unfortunately, there is no such thing as 100% secure operating system. And in case of Windows, where viruses and spyware are not that rare, I would be very concerned if I knew that my data is protected by the operating system only.” are misleading. No OS is 100% sure, but Windows is catastropically *insecure*. Try Ubuntu, which is immensely more secure than Windows. To claim it’s not 100% secure is misleading. For all intents and purposes here for a normal user, Ubuntu is 100% secure.
If you are that worried about security, then don’t use FTP, which is a horrifically insecure protocal as it is. If you’re one FTP, not SFTP, then all passwords are sent in the clear as it is. If you’re on a wifi network with someone else they can read your FTP password already.
Rory,
It looks like you didn’t bother yourself to read the whole article.
It says, it’s quit OK to store passwords in plain text as encrypted passwords won’t make the whole thing more secure. But users should know that if they want quick connects, FileZilla won’t protect their passwords. And if their computer gets infected (this happens to many webmasters), their FTP credentials can be easily stolen.
Even if you store passwords for the proxy-user, it’s listed in XML files as clear text.
It’s needless to say, but this is only an issue on Windows systems.
Filezilla is an open source product, based on the security of *nix systems.
It’s not natural that any other person/program besides you should be able to read ANY data in your home folder.
Unfortunately, millions of webmasters work on Windows where the risk of malware infections is high. And many of them never think about how FTP programs handle their passwords. As a result, hundreds of thousands hacked websites.
I know, and this doesn’t only count for webmasters, but also for system administrators.
I had this issue reported at work a few months ago to the head of sys-admins.
(about filezilla storing the proxy pass & username in the xml file as cleartext)
It was ‘no big deal’ …
So people getting their site’s hacked by this, deserver it!
I mean it… If you don’t know or control where your passwords go, nothing can seve you, not even RSA/DSA keys and encrypted keychains.
Serious…
It is shaping up to be 2009: The year of malware. I have posted on my blog steps to help prevent Gumblar/Martuz here
http://blog.igothacked.com/2009/06/steps-to-prevent-gumblar-martuz-nine.html
[...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]
It’s not rocket science to protect passwords in code: http://msdn.microsoft.com/en-us/library/ms995355.aspx – describes the Microsoft DPAPI (Data Protection API). You can quickly and easily encrypt data using either a user-related key, or a system-related key.
Even if you can see the source code, you don’t have access to the DPAPI key. Even if you download the XML file with the encrypted password, you don’t have access to the DPAPI key.
[If you're stuck with code that can't be modified, either because it's not open source, or because you're not a developer, there's the prospect of using EFS to encrypt the directory containing your configuration files. Not perfect, for sure, but it's one way to keep those XML files from being readable by others.]
And, because it’s my common complaint, why aren’t people using FTPS? It’s a documented standard (unlike SFTP), it uses SSL and existing X.509 certificate infrastructure (unlike SFTP), it works exactly like FTP but secured (unlike SFTP), and you can use passwords or certificates to authenticate as the client user (at the same time as authenticating that the server is the right one). FTPS avoids the sniffing issues associated with plain-text FTP, as SFTP does, but it requires less new learning than SFTP, if you’re already familiar with FTP.
[...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]
Mulitple websites compromised and infected. New version of Gumblar type malware infection. Worst thing is Google is now listing all infected sites as may being harmful to your computer. Which is true to be fair but thats going to be a pain to get the sites credibility back. I “assumed” that Filezilla encrypted that information. But as the saying goes “Dont assume – it’ll only make an ASS out of U and ME!
Thanks very much for this article, which is valuable to me as a not-very-technical person, for being comprehensible and including practical advice I can immediately follow. My web pages were recently h(ij)acked and flagged as unsafe by Google (the shame …). My provider made no response to my request for advice. I’ve now taken everything down and need to get safe before I reconstruct it. Can’t be sure that the vulnerabilty is with Filezilla, which I’ve used for a year or so, but will now change the transfer setting, and then look into other methods altogether.
[...] infected Windows computer. The test proved that malware steals passwords saved in FTP programs (FileZilla in that [...]
I recently migrated to coreftp for my laptop and usb stick for this very reason. (Hint: use -flash option so that it stores info in a text file and not registry.) coreftp indeed does encrypt the password. It also has some other nice security features. The LE version is free (but not open source).
[...] quickconnect bar doesn’t save the password if you don’t type it in the bar (source: comment by Denis “If you don’t enter a password in the “Quickconnect” bar, [...]