Missing password feature now poses a serious security threat

Need help with FileZilla Client? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Message
Author
antwerp
500 Command not understood
Posts: 5
Joined: 2013-12-03 23:23

Re: Missing password feature now poses a serious security th

#16 Post by antwerp » 2013-12-18 02:51

I can see why in the past this may have seemed an unnecessary and somewhat burdensome feature to add. My reason for raising this old issue at this time is that now there is clear evidence that this software exploit is being widely used in the field with devastating personal and financial consequences.

In light of this this new evidence, I felt it was also important to recommend this change so as to prevent the author of FileZilla being exposed to some considerable indemnity risk. I'm sure FileZilla has the normal software indemnity clauses on installation of FileZilla (right?). Even if you did, there may be some jurisdictions where these clauses could be challenged. Just imagine of your wealth was decimated by one of these Trojans OR you're running an insurance company and seeking to minimize costs of recent customer claims. You might be tempted to sue. Even if the case was not upheld, fighting it could cost a fortune. If I were developing FileZilla, I'd think this software change would be just sensible cheap insurance to demonstrate to a court that 'all reasonable means' had been implemented to prevent the risk of being seen as assisting the Trojan writer.

User avatar
botg
Site Admin
Posts: 32254
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Missing password feature now poses a serious security th

#17 Post by botg » 2013-12-18 07:12

How did the trojan get on your computer in the first place?

ftpper
504 Command not implemented
Posts: 9
Joined: 2013-11-26 03:41

Re: Missing password feature now poses a serious security th

#18 Post by ftpper » 2013-12-20 10:49

There's no trojan.

This is a Day 0 exploit that is able to retrieve arbitrary local files that the user has access to e.g. web browser bug or FTP or HTTP server bug. etc. etc.

parmaster
500 Command not understood
Posts: 1
Joined: 2016-11-06 22:18
First name: Par
Last name: Master

Re: Missing password feature now poses a serious security threat

#19 Post by parmaster » 2016-11-06 22:20

Because of this refusal by the Filezilla devs to implement this feature AND the apparent dismissal by the admins...

I will never be using Filezilla.

Good day.

User avatar
botg
Site Admin
Posts: 32254
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Missing password feature now poses a serious security threat

#20 Post by botg » 2016-11-07 07:44

The problem is that any sort of password protection does not actually add any protection.

If your computer is infected, how do encrypted passwords protected by a master password protect against a bit of malware that silently waits until you start FileZilla and enter your master password? It is at this point the malware would wake up and extract the master password straight out of the running program.

Writing a piece of malware that would do just that is quite simple. Here's how to do it, in a few easy steps:
  • Upon infecting the machine, malware replaces the FileZilla icon on the user's Desktop with its own shortcut
  • User starts the malware by double-clicking what he thinks is FileZilla
  • Malware now starts FileZilla and attaches itself as debugger to the FileZilla process
  • Malware sets a breakpoint in the function that handles the OK button in the master password dialog
  • Once user enters his master password, the breakpoint is triggered
  • the malware reads the master password from FileZilla and sends it over the internet to the evil hacker, along with the user's encrypted server credentials
  • Malware lets FileZilla continue
  • The evil hacker cackles in his lair
This malware would be entirely silent, the user cannot detect it as there's no behavioral difference in his system he could detect

Chake
500 Command not understood
Posts: 1
Joined: 2016-11-07 08:25

Re: Missing password feature now poses a serious security threat

#21 Post by Chake » 2016-11-07 08:37

Why do you make users think password are somehow hidden, obfuscated or encrypted? It's not possible so see the password in the servermanager although it is stored plain text on disk. You decieve people that password are stored/handeled in another way as user or servername.

Why do you have captchas installed for your forum registration? It's prooven that programs can solve those better than humans today.
It's just harder to implement. And you are right! It helps a lot if something is harder to implement. Because this extra effort must done and there may be other low hanging fruits the malware dev is aiming for. As for now filezilla is a fruit already fallen to the ground.

When infecting a PC the malware may only have little time (next antimaleare/virus update) before the user/antimaleare/virus program notices anything. Perhaps the user doesn't use filezilla during this time? BAM! Passwords saved.

You are right, there ist no perfect security. And you are invited to inform your users about it. But you are making them think passwords are save.

ilustrul
500 Command not understood
Posts: 1
Joined: 2016-11-07 08:54
First name: Mircea
Last name: Marinescu

Re: Missing password feature now poses a serious security threat

#22 Post by ilustrul » 2016-11-07 09:00

@botg: Your argument is pretty bogus. Why? In your version, only advanced malware, developed by REAL programmers can steal FileZilla passwords. In the current status quo, every script kiddie, and every shitty vb script can steal the passwords... this is the difference.

If you ask me, then hell yes, the effort to implement this feature well worth it, as it makes stealing passwords WAY HARDER.

I don't know why you're so stubborn, it's been ages since users ask for this... why the resistance?

User avatar
botg
Site Admin
Posts: 32254
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Missing password feature now poses a serious security threat

#23 Post by botg » 2016-11-07 10:53

Chake wrote:Why do you make users think password are somehow hidden, obfuscated or encrypted? It's not possible so see the password in the servermanager although it is stored plain text on disk. You decieve people that password are stored/handeled in another way as user or servername.
Not displaying passwords is just a measure against passive onlookers, such as a co-worker looking over your shoulder. Nothing more, nothing less.
Chake wrote:When infecting a PC the malware may only have little time (next antimaleare/virus update) before the user/antimaleare/virus program notices anything.
Wishful thinking. Sadly AV software is mostly snake oil. Carefully operated, malware can fly under the radar for months before it is detected.
Chake wrote:Perhaps the user doesn't use filezilla during this time? BAM! Passwords saved.
I agree, that is one actual benefit, assuming the malware is actually being detected and removed. The questions are: How can you be sure it is fully gone? It got onto your machine before, what stops it from happening again?
ilustrul wrote:In your version, only advanced malware, developed by REAL programmers can steal FileZilla passwords. In the current status quo, every script kiddie, and every shitty vb script can steal the passwords... this is the difference.
These days script kiddies use off-the-shelve exploit kits: Simple GUIs to click together exploits and payloads to create built-to-order malware. The individual components of these exploit kits are created by highly skilled programmers.
ilustrul wrote:I don't know why you're so stubborn, it's been ages since users ask for this... why the resistance?
Because it does not add any real security. Worse, having master passwords even creates a false sense of security.


Simply put, once a machine has become infected it cannot be trusted for anything and needs to be completely wiped. If you can prevent infection however, you could even store nuclear launch code in a plain text file on your desktop.

Post Reply