FileZilla Secure - a modified FileZilla client that encrypts passwords

[fzss]

I love FileZilla, a lot. It's the best FTP program I've ever used, so I was very shocked when every website I manage (on 4 different servers) were all hacked at the same time. How could this be? It turned out FileZilla was saving all my FTP passwords in plain text files and some malware targeted this file.

I switched to WinSCP, which encrypts saved FTP passwords with a master password, but it just wasn't as good.

So now I have modified FileZilla and added the master password functionality that many of us would like to use to help protect ourselves.

I'm calling it FileZilla Secure and you can download it here: http://www.filezillasecure.com

I hope some people can get some use out of it and I'd appreciate any feedback.

[botg]

Did you do a root cause analysis to figure out how the malware got onto your machine in the first place?

Also, how does this prevent malware from simply capturing your master password as you enter it?

Last but not least, using outdated versions isn't secure at all, it's very insecure to run outdated software.

[fzss]

Did you do a root cause analysis to figure out how the malware got onto your machine in the first place?

It got onto my machine through some sort of browser exploit.

Also, how does this prevent malware from simply capturing your master password as you enter it?

As soon as I visited the attack page I could tell some malware had gotten onto my system. The first thing I did was try to remove it, but it had already copied my FileZilla password file and sent it off. It was too late to do anything because this malware specifically targeted the FileZilla saved password file.

Malware could install a keylogger and wait for you to input your password but this would most likely produce a large keylog file an attacker would have to sift through looking for the password. In my case the attack was completely automated, the malware got into my system through my browser, looked for the filezilla password file, then once it found the password file automatically uploaded itself to all my websites. Then the process repeated and any of my visitors who had a vulnerable browser and saved passwords in FileZilla experienced the same thing. Master passwords is the difference between 1 hacker hacking 1000 sites in a day with little effort and 1 hacker hacking 1 or 2 sites in a day after spending hours analyzing logs. Yes, a determined attacker may be able to get around a master password but in my experience most attackers are just trying to hack as many sites as quickly and easily as possible. They are just trying to make a dollar, not specifically targeting my site, and master passwords will slow them down or make them go after easier targets.

Last but not least, using outdated versions isn't secure at all, it's very insecure to run outdated software.

Yes, we're using a version a few months old, it was the newest version when we started this project. We'll be updating to the newer versions in time. But yes, you're right, using insecure software is not smart.. some hacker might get your password! :p

Anyways, this isn't meant as an attack on FileZilla, I love FileZilla, it's been my favorite FTP program for 12 years now. This is just for the few people who want FileZilla and the ability to encrypt their saved passwords with a master password. Thanks for developing FileZilla all these years!

[botg]

As soon as I visited the attack page I could tell some malware had gotten onto my system.

You were most fortunate that the malware was of such low quality. Quality malware you wouldn't have detected that easily, if at all.

Malware could install a keylogger and wait for you to input your password but this would most likely produce a large keylog file an attacker would have to sift through looking for the password.

A keylogger isn't even needed. I've sketched a possible malware implementation at viewtopic.php?p=150488#p150488 that would work against your modified version.

This class of malware would work against each and every program that uses master passwords. Implementing it is not hard in any, it should take a skilled developer about half a day to implement this malware.

[camelot]

@fzss: Just want to say thank you. This feature was missed a long time! Please keep it updated

[botg]

I did a brief review of your changes, here are my findings:

- Custom AES and SHA implementation instead of using libnettle
- It corrupts large queues due to only using a 32bit integer for file sizes
- Header (de)serialization is not endianess-aware
- It does not handle the case in which the different files use different passwords, silently discarding the user's data
- The iv isn't chosen randomly, encrypting the same data twice yields the same ciphertext
- The ciphertext isn't authenticated, it is possible for an attacker to change parts of the plaintext to his liking, e.g. the stored host where the password is ultimately sent to
- You cannot rely on the code that checks only one instance of FileZilla is running, the settings may be stored on a filesystem that does not support this functionality. It can fail for any number of additional reasons as well
- I haven't looked a the queue storage code yet, probably more issues there as it's a lot of new code