Filezilla password plaintext disaster

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
BigBang
500 Command not understood
Posts: 2
Joined: 2009-03-11 19:04

Filezilla password plaintext disaster

#1 Post by BigBang » 2012-04-22 20:54

Hi

Im a freelancer and get the money for my familly with this job.

There is about 50 costumer who trust on me and on my services.
They pay me for security and support.

The day come as all my costumers call me and tell they was hacked!
My world was going down. And i dindt understand what happend.
Why alle my costumers on different servers with different Systems hacked
on them i didnt conntect since years?

Google help me and i was really shocked about. Filezilla, one of the "best" FTP programm
made me this gift. Thank you.

I got a Trojan on my system, shit happens, this trojan send all my data stored
on plaintext by Filezilla.

Im ok with "this is not the Job of Filezilla to keep Trojans out" but
getting ALL MY COSTUMERS ACCESS DATA cause Filezilla dont encypt the passwort
you think ist ok?

Other FTP programms DOES encrypt!

I am working now since 3 days without sleep to save my costumer reputation
and put the sites online one by one. My poor daughter she dont understand what happend with daddy.

Do the developper knows how many sites get hacket just why they dont change mind?

It is so hard to encrypt the passwords? Windows isnt save everybody know it.
A second security barrier is needed with this kind of sensitive data.

I work behind Hardware Firewall, actual Antivirus Avast 7. Firefox updated, Windwos7 updated.
Nothing helped me to prevent this one.

I found out there is a lot of professional who write: "do not use Filezilla"
Google: Filezilla passwords plaintext / Filezilla trojan

If some admin delete my statement, i will find +10 blogs to post it, its a promise.

xeon
226 Transfer OK
Posts: 128
Joined: 2009-08-19 03:18

Re: Filezilla password plaintext disaster

#2 Post by xeon » 2012-04-22 23:34

BigBang wrote:They pay me for security and support.
BigBang wrote:I got a Trojan on my system
Are you sure you're in the right line of work? :roll:

User avatar
botg
Site Admin
Posts: 32616
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla password plaintext disaster

#3 Post by botg » 2012-04-23 06:05

If you've got a trojan on your computer, no amount of password obfuscation will help.

Instead, you need to prevent the infection in the first place.

beededea
500 Command not understood
Posts: 5
Joined: 2010-06-03 10:22
First name: Dean
Last name: Beedell

Re: Filezilla password plaintext disaster

#4 Post by beededea » 2012-05-14 13:02

The last two responses to this admittedly old post are appalling. The poor chap is stating his personal disaster caused by using an inadequate tool that should not be used on Windows. Do you really feel it appropriate to offer curt and sarcastic messages in response to a genuine plea for acknowledgement?

Some o/s provide decent security but we all know Windows in some flavours does not. Filezilla has inadequate security for Windows, storing its passwords in plain text in an unsecured area - and therefore either Filezilla or this functionality should therefore not be offered on this platform. If filezilla continues to be offered for windows then big warning signs should be displayed on the quick connect and other configuration options that state "Filezilla will store your passwords in plain text, enable or disable?"

My suggestion is that any windows users drop filezilla like a hot cake now! Use an open source tool like WINscp that has protection to password data using encryption and a master password. Remember all sensitive information stored on a computer must be encrypted and all steps taken to ensure protection against keyloggers, trojans &c.

I think the general response to this sort of problem on the filezilla forums is inappropriate and tantamount to trolling poor unsuspecting users of the filezilla client.

User avatar
botg
Site Admin
Posts: 32616
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla password plaintext disaster

#5 Post by botg » 2012-05-14 22:35

You can already disable saving of passwords in the settings dialog of FileZilla.

User avatar
boco
Contributor
Posts: 24915
Joined: 2006-05-01 03:28
Location: Germany

Re: Filezilla password plaintext disaster

#6 Post by boco » 2012-05-14 23:25

The problem is not that Windows is insecure (modern versions offer decent security). The real problem is that it is configured in an insecure manner by default, and many users don't know or care to turn it on. Security and convenience are mutually exclusive, you always give up some of one to get some of the other.
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
All FileZilla products fully support IPv6. http://worldipv6launch.org
### END SIGNATURE BLOCK ###

beededea
500 Command not understood
Posts: 5
Joined: 2010-06-03 10:22
First name: Dean
Last name: Beedell

Re: Filezilla password plaintext disaster

#7 Post by beededea » 2012-05-15 12:24

botg wrote:You can already disable saving of passwords in the settings dialog of FileZilla.
Thank goodness for that - it took a long time for that one to sink in, I noted the previous arguments and rants in the various posts on this subject and in disgust to the main devs responses, I gave up using Filezilla client a while back.

The problems that occurred due to "the plain text disaster" are those that you discover only after you have been hacked and it is not much good to find out after the event... My machine was well protected (malwarebytes, avast, clamwin, sygate) and I am a sys. admin. going back many years so I know my stuff, still a trojan infected my PC through a fake Adobe update. Four passwords were trawled from filezilla within an instant even though I shut the system down within seconds of the infection occurring. Had I known that filezilla stored plain text passwords I would have taken steps to secure the data but I didn't know about filezilla's peculiarities/vulnerabilities, nor did the poor chap above. You could almost think of filezilla as a trojan in itself planting a back door way in for anyone to exploit! Sabotage for windows... that's a good name for the product.

As a result I now use WinSCP, no looking back, once bitten, twice shy. However, I still use and recommend filezilla server and aim to contribute positively to the project if I can.

Post Reply