Silently cached credentials?

[eyebex]

Ah yes, the fix it yourself mentality that mars the entire open source community. When that is the habitual response it doesn't at all encourage people to give you any feedback.

I know, I always hated this fresh answer myself, that is until I got involved in OSS projects that have a high user count, but a low developer / contributor count. If you, over months and years, address other people's issues in your spare time, fix bugs and add features that you personally do not care much about, just because you'd like to make your beloved project even more popular and to keep the issue tracker clean, I guess even the most idealistic person gets that "fix it yourself" / "be happy with what you got" mentality at some point.

Finally, I am a bit saddened by the developer's comment about his decision being final. My read on this is that, if true, Filezilla will become yet another example of how a secure protocol can be made insecure through poor implementation.

I'm reading botg's answer differently: Only his decision not to spend any time on a password encryption implementation himself is final. But that does not mean encryption will not make it into FileZilla, in fact he encourages submitting a patch by saying "volunteers may not do a step backwards".

[botg]

To clarify: Password obfuscation never ever. Just pointless. On the other hand, making it easier to enable kiosk mode, that's desired.

[joshbw]

Also, without getting into the actual details, the scenarios presented regarding malware interception of passwords were not exhaustive

It wasn't meant to be exhaustive. There are a thousand scenarios. I instead focused on the specific scenarios that I know are actively being exploited in similar products because that is a threat I specifically (had) recommended Filezilla for.

Password obfuscation never ever. Just pointless.

I explained to you why it wasn't. Do you really not understand the difference between "technically possible" and "trivially easy" and why they are not equal? The lock on your front door does not provide absolute security. Do you believe it is pointless to have one? Does your door lack a lock? SSL can be compromised by getting a cert from a rogue CA (and now that there are way too many root CAs and deligate CAs that is a legitimate concern), or by having malware on the client, or XSS on the server so that SSL is out of the equation - does that make SSL pointless? Why do you require that password encryption provide absolute protection to be worth while when no other security measure can promise the same thing?

[joshbw]

Since it looks like this is going to be an existing problem until I get enough free time to invest in the project, here is a work around for people: http://sww.co.nz/an-alternative-to-stor ... p-clients/

Again, botg, I do appreciate the work you have done but I wish you were more analytical about security. Having done some research in the past couple of hours your insecure password storage has been exploited in the past by Gumblar and similar designs. Your design IS being exploited. You can't prevent all ways that it will be, but you can at least make malware authors evaluate if it is worth the effort. Security is a battle to increase the effort of an attack.

[botg]

Ah Gumblar. In case you don't know, Gumblar actually sniffs FTP passwords from the network interface.

Also, the attack vector Gumblar uses to infect your machine in the first place is through Acrobat Reader.

No wonder people get infected if they keep using products by a company know for a track record of bad security vulnerabilities. Uninstall all Adobe products and you'll likely never get an infection at all!

[maathieu]

Ah Gumblar. In case you don't know, Gumblar actually sniffs FTP passwords from the network interface.

Also, the attack vector Gumblar uses to infect your machine in the first place is through Acrobat Reader.

No wonder people get infected if they keep using products by a company know for a track record of bad security vulnerabilities. Uninstall all Adobe products and you'll likely never get an infection at all!

If it's not Acrobat Reader it is going to be something else. I have had my Filezilla passwords stolen once, although I follow standard security practices (antivirus, antimalware, latest patch for all software I use + not working as an administrator on my machine / also I use foxit reader instead of acrobat reader). I have no idea how malware got through. Sometimes it just "happens."

So I got my 40+ websites modified by some bot who inserted iframes into certain pages. The said iframes propagated malware. What I want to stress here is that a legitimate website can be compromised, and even if you believe you are only browsing "safe" websites you may still run into trouble. It's not always the end user's fault that something happens.

Now, I was told last year on this very forum to not store passwords using Filezilla. So now I use this tool called Keepass to store my passwords. It seems to be stronger although I can imagine it is not perfect.

Consider this: I store passwords using Firefox and Thunderbird's password storage systems. Those didn't get stolen by the bot. The master password technique seems to give a protection strong enough that malware does not try to attack it. Obviously it could be defeated if malware were to install a keylogger and suchlike on my machine and scanned my master password as I type it in, but such a program would be hard to engineer and also much easier to detect than a low profile worm. Malware makers are competent but they are choosing the easiest path to profit. Right now Filezilla is an easy target. As soon as you manage to get a piece of malware on someone's computer, you can go straight to the Filezilla passwords' file and send it all over the internet. No intensive computation, no convoluted piece of software required. Just a few lines of code and voila, your passwords are gone and your website starts propagating malware.

Isn't it possible to strenghten Filezilla a little bit, so that it becomes a less easy target?

Please?

[botg]

Malware makers are competent but they are choosing the easiest path to profit

So Stuxnet was easy?

Isn't it possible to strenghten Filezilla a little bit, so that it becomes a less easy target?

Open fzdefaults.xml.example and read up how to enable Kiosk mode. Think of it as site-specific master passwords, so it's even better than a single master password!

[boco]

It would be best to offer kiosk mode already in the installer (like the Secure mode of FileZilla 2.x).

[rdsears]

Alright after a bit of digging I found the SINGLE CHARACTER that needs to be changed to change the default kiosk-mode setting.

src/interface/Options.cpp:180
{ "Kiosk mode", number, _T("0"), default_only },

To make it so passwords aren't stored set it to
{ "Kiosk mode", number, _T("1"), default_only },

To make it so NOTHING is stored set it to
{ "Kiosk mode", number, _T("2"), default_only },

I've tested this with the linux client, because I am by no means a windows dev. I am looking for someone to assist me with getting the windows installer re-compiled, so I can put it into production for our next imaging cycle.

This is my last plea to botg:
Please, please, please reconsider changing the default behavior to kiosk-mode 1, that way it doesn't degrade the functionality of the program, and it would satisfy a lot of people's worries, myself included.

Although I don't agree with the lack of encryption (and there have been good points as to why encryption is good for stuff like this - malicious users are always going to look for the path of least resistance), I respect the fact that this is your project, and it's your choice to do whatever you want with it. I'm talking about a single character change in the source code, not a complete overhaul of anything, because I realize that your time is valuable.

Great work on everything you've done developing Filezilla, and while this is something that tempts me not to use it, I still will. I just have to be mindful of it's default behavior, and make sure the people I work with are as well. As much as we don't agree on security issues, I do have to say that Filezilla IS a great program that deserves the highest of praise. I just wish you were a bit more scrupulous about your client side security.

Thank you,
Ryan Sears

[markr]

I have a completely basic question about this issue; I won't delve into the arguments on the merits of password encryption, beyond saying "+1 for encrypting."

After reading the thread on Full Disclosure and browsing over here for more info, I got the impression that Filezilla was silently caching every password used on every site in plaintext. I went looking for my passwords in the XML file, but they weren't there.

So, to be clear, what we're talking about here is passwords that the user opts to store in the Site Manager... it's not like Filezilla is silently grabbing every password that passes through its GUI. Correct?

[rdsears]

I have a completely basic question about this issue; I won't delve into the arguments on the merits of password encryption, beyond saying "+1 for encrypting."

After reading the thread on Full Disclosure and browsing over here for more info, I got the impression that Filezilla was silently caching every password used on every site in plaintext. I went looking for my passwords in the XML file, but they weren't there.

So, to be clear, what we're talking about here is passwords that the user opts to store in the Site Manager... it's not like Filezilla is silently grabbing every password that passes through its GUI. Correct?

Sadly, Incorrect. It caches everything by default.

They're stored by default in two files (3 if you use site manager) - recentservers.xml and filezilla.xml under lastserver

If you're on linux the files are in:
~/.filezilla/[recentservers.xml,filezilla.xml,sitemanager.xml]

in windows:
%appdata%\[recentservers.xml,filezilla.xml,sitemanager.xml] (start > run > %appdata%)

Filezilla IS silently (and insecurely) grabbing and storing absolutely every password that goes through the gui, with no way to turn it off without editing your filezilla.xml file directly.

[markr]

Thanks for the clarification... yup, there they are, in recentservers.xml... Yikes!

Again putting aside the encryption debate, this seems to violate user expectations. If I use an application that has the option of caching passwords, and I consciously decide not to use that option because I don't want to store the password, it seems reasonable for me to expect that my password is not stored on the filesystem at all, let alone in plain text. This expectation is reinforced when said application prompts me for passwords every time I use it.

This auto-snarfing of passwords seems absurd, unless there is some fundamental need to do it for functionality's sake.

[moonsoup]

One thing to consider is the intended target audience. I intend FileZilla to be used by experienced users that know what they are doing, colloquially called power users. While users most certainly should not need a PhD or similar degree to use FileZilla, I expect all users to have enough common sense to understand the importance of overall system security.

YES! I am a power user and I keep a secure system and worry about the security of my clients data....
Here is the command on Linux that I used to secure my system..
"apt-get purge filezilla*"

I intend on using the sftp command line client from now on.

I suggest you all do likewise until this is resolved; Flashy bells and whistles are nice until someone smashes your bike.

Power users .. indeed!

[boco]

"apt-get purge filezilla*"

Your decision. Nobody is forced to use it.

[primefalcon]

This is concerning as hell considering that it'd be trivial for justr any malware/hacker or even an individual with access to themachine to do a search on the machine find /home -iname "sitemanager.xml" | cp - /media/memorystick (above is a linuxcommand but similair batch commands exist for windows.....

With modern encryption being pretty much unbreakable..... I cant understand this attitude.... at least give an option for a master password to encrypt the files using gpg/pgp.... Thsis way it would be key encrypted and not password encrypted and any files that get comrpomised would have to then be brue forced which would be a pointless prospect with key encryption under a secure and open encryption scheme.