Comments on: Beware: FileZilla Doesn’t Protect Your Passwords

By: Learning from Adversity » jon davito | no sotto voce

Learning from Adversity » jon davito | no sotto voce — Fri, 12 Mar 2010 21:35:39 +0000

[...] think are safe are not really safe at all. I was shocked to find out that my favorite FTP client, FileZilla, does not protect your passwords. In fact, many FTP clients don’t protect your passwords. I believe this also includes the [...]

By: Preventing FileZilla’s quickconnect from saving your passwords – PCR's notepad

Wed, 03 Feb 2010 11:08:23 +0000

[...] quickconnect bar doesn’t save the password if you don’t type it in the bar (source: comment by Denis “If you don’t enter a password in the “Quickconnect” bar, [...]

By: zach

zach — Tue, 05 Jan 2010 02:43:35 +0000

I recently migrated to coreftp for my laptop and usb stick for this very reason. (Hint: use -flash option so that it stores info in a text file and not registry.) coreftp indeed does encrypt the password. It also has some other nice security features. The LE version is free (but not open source).

By: gifimg.php Malicious Scripts Removal Instructions | PHP Proficient

gifimg.php Malicious Scripts Removal Instructions | PHP Proficient — Fri, 25 Dec 2009 18:56:25 +0000

[...] infected Windows computer. The test proved that malware steals passwords saved in FTP programs (FileZilla in that [...]

By: Elizabeth James

Elizabeth James — Sat, 28 Nov 2009 13:49:13 +0000

Thanks very much for this article, which is valuable to me as a not-very-technical person, for being comprehensible and including practical advice I can immediately follow. My web pages were recently h(ij)acked and flagged as unsafe by Google (the shame …). My provider made no response to my request for advice. I’ve now taken everything down and need to get safe before I reconstruct it. Can’t be sure that the vulnerabilty is with Filezilla, which I’ve used for a year or so, but will now change the transfer setting, and then look into other methods altogether.

By: Ollie Barnett

Ollie Barnett — Mon, 02 Nov 2009 12:04:37 +0000

Mulitple websites compromised and infected. New version of Gumblar type malware infection. Worst thing is Google is now listing all infected sites as may being harmful to your computer. Which is true to be fair but thats going to be a pain to get the sites credibility back. I “assumed” that Filezilla encrypted that information. But as the saying goes “Dont assume – it’ll only make an ASS out of U and ME!

By: MyBlog « myBlog

MyBlog « myBlog — Thu, 01 Oct 2009 17:17:39 +0000

[...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]

By: Alun Jones

Alun Jones — Mon, 14 Sep 2009 16:22:24 +0000

It’s not rocket science to protect passwords in code: http://msdn.microsoft.com/en-us/library/ms995355.aspx – describes the Microsoft DPAPI (Data Protection API). You can quickly and easily encrypt data using either a user-related key, or a system-related key.
Even if you can see the source code, you don’t have access to the DPAPI key. Even if you download the XML file with the encrypted password, you don’t have access to the DPAPI key.
[If you're stuck with code that can't be modified, either because it's not open source, or because you're not a developer, there's the prospect of using EFS to encrypt the directory containing your configuration files. Not perfect, for sure, but it's one way to keep those XML files from being readable by others.]
And, because it’s my common complaint, why aren’t people using FTPS? It’s a documented standard (unlike SFTP), it uses SSL and existing X.509 certificate infrastructure (unlike SFTP), it works exactly like FTP but secured (unlike SFTP), and you can use passwords or certificates to authenticate as the client user (at the same time as authenticating that the server is the right one). FTPS avoids the sniffing issues associated with plain-text FTP, as SFTP does, but it requires less new learning than SFTP, if you’re already familiar with FTP.

By: FileZilla FTP İstemcisi ve Plain Text Şifreler | Syslogs

FileZilla FTP İstemcisi ve Plain Text Şifreler | Syslogs — Sun, 13 Sep 2009 16:44:16 +0000

[...] http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/ [...]

By: MK

MK — Mon, 07 Sep 2009 06:38:17 +0000

This same type of compromise could very easily occur with software that stores your SFTP login as well. It is only luck, that at that this time the malware authors are not attacking this channel.