Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#4507 closed Bug report (rejected)

Recent servers list save's passwords unencrypted

Reported by: Stijn Owned by:
Priority: critical Component: FileZilla Client
Keywords: Recent servers password Cc:
Component version: Operating system type:
Operating system version:

Description

Recently I found out that Filezilla saves the passwords of recent visited servers in an unencrypted file: recentservers.xml

Making it really easy to steal the passwords as soon if you have access to the computer.

This is in my eyes a security threat that should be taken care of.

PS: a little thanks to "Smash" who told me of this bug on the forum of my hoster.

Change History (5)

comment:1 Changed 10 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

It's not a bug it's a design decision.

The settings files are stored in a directory that can only be read by your user account and nobody else. If an attacker can read that file he already has full access to anything. Even if passwords aren't stored at all he can just wait till enter them each time you connect to a server.

comment:2 Changed 10 years ago by Witold Baryluk

Sorry to bother you guys again but i doesn't aggree with you at all.

The settings files are stored in a directory that can only be read by your user account and nobody else.

If (in case of quick connect) they are stored nowhere, nobody can read them at all. So sorry it IS safer. This is particulary good, if you want to use Filezilla in public places or from others computers. You want just to quickly connect to your own SFTP account somewhere, download/upload something and forget about everything. Now FileZilla saves everything including passwords.

If an attacker can read that file he already has full access to anything.

No. We are taking about remote passwords! If attacker have full access to local data I don't want also to automatically give him access to all remote systems i loged anytime, including my Bank Accounts, etc. This is why things like remembering passwords in HTML forms in webbrowsers aren't default. Everytime browser asks user and mostly give him few options: Save now, Save for this domain, Save always, Never save.

Even if passwords aren't stored at all he can just wait till enter them each time you connect to a server.

No. There will no "other times" in some cases.

Additionally current behaviour is completly counter intuitive, i can bet that 90% of people will tell that password isn't saved anywhere, because nobody asked them for remembering it.

Yesterday was my last day I used FileZilla. Thanks You all for hard work.

comment:3 Changed 10 years ago by Kevin

This is the reason why thousands of websites are hacked and/or injected with several iframes on index and default pages. And it is the reason why i deleted Filezilla this week. I can't trust it anymore.

comment:4 Changed 10 years ago by Tim Kosse

You couldn't be more wrong Kevin. The reason why thousands of websites are cracked is because people like you are getting infected with malware. Like I said before, if there's malware on your system it cannot be trusted. If you lack the brains to understand that simple principle, maybe you shouldn't use computers.

comment:5 Changed 10 years ago by Kevin

Thank you for your heads up, but i'm not the one here with the infected computer. Although, i know that having malware from time to time is not unlikely. So, Filezilla, as a creator of software, should take the necessary consequention to beat this and don't save passwords as plain text. You have to be kidding me that this is a 'design decision'. It's just unsecure.

There are even other things than malware why such a file cannot be trusted on an 'open' pc in a network.

Note: See TracTickets for help on using tickets.