Opened 15 years ago

Closed 15 years ago

Last modified 11 years ago

#4731 closed Feature request (rejected)

Password stolen via filezilla.xml -

Reported by: iiaass Owned by:
Priority: critical Component: FileZilla Client
Keywords: Iframe Hack stolen password Cc: burak@…
Component version: Operating system type: Windows
Operating system version:

Description

I using filezilla for two now.. and but has to stop..
Note that 40 site of mine was hacked recently and block by google...

"Virus undetected by avast and nod 32". Later reported..

Iframe Hack
http://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=Iframe+Hack

-NEED TO AVOID SAVING FILE IN TEXT FORMAT.. TOO VULNERABLE..

Change History (4)

comment:1 by Tim Kosse, 15 years ago

Resolution: rejected
Status: newclosed

If you let your computer get infected the way any passwords are stored does not make any difference. A compromised system cannot be trusted, no matter what.

comment:2 by burak, 15 years ago

Cc: burak@… added
Resolution: rejected
Status: closedreopened

In real life you tell a "secret" to a person whom you trust. Therefore from a users point of view I give my "secret/password" to FileZilla to keep, I trust it and the developers, this is an open source project afterall, so it must be safe?

Firefox is safe, I trust that also... I tell it my passwords, but it tells me that to keep it safe I have to give a master password. That's ok. Better then remembering hundreds of passwords.

People get "emotional" when their secret is told to some other person by the person they trust. So I see lot's of frusterated people on the forums and mailing lists because their passwords are stolen, this is normal. I got emotional when I figured out that my password was compromised, I trusted FileZilla (I still do) and I thought that it gave me away. Yes it's true it's not FileZilla's fault but why does it make it so easy for the passwords to be stolen? It runs on Windows I don't like it but haven't got another choice like the thousands out there? Firefox saved it? At least until I could change my passwords? After thinking for a while and searching around I concluded that it's not totaly FileZilla's fault my passwords got compromised but it had it's share.

I really like FileZilla, I think it's a great tool. I will continue using it, even if this feaute is not implemented, I will keep my passwords on an encrypted file, etc. But why not make it better? It's not that hard to implement a solution like on firefox? I work on web based systems but I'm volunteering to work for this feature? And I think that there's lots of people who want this feature.

Please re-think this? From what I have seen so far the developers don't want this feature, I'm not sure why, but think about it, people trust you guys and give their passwords. If you think it's totaly Windows's fault (yes, mostly it is) and there's nothing to do about this (we can't change Windows) maybe you should stop making builds for Windows, not to let down people who trust you?

Anyways I might still be emotional, not mad, but a little sad becuse I have to reinstall a server this Saturday :(

comment:3 by Tim Kosse, 15 years ago

Resolution: rejected
Status: reopenedclosed

In real life you tell a "secret" to a person whom you trust.
Therefore from a users point of view I give my "secret/password"
to FileZilla to keep, I trust it and the developers, this is an
open source project afterall, so it must be safe?

Your computer is the equivalent to that trusted person. If that person has been brainwash you cannot trust it anymore. Likewise if your computer is infected by a trojan you cannot trust it anymore.

No amount of obfuscation will help, you need to prevent the infection in the first place. And your firefox isn't safe either, that trojan will just sit there and grab your master password the next time you enter it. Nothing gained by such pseudo security.

comment:4 by burak, 15 years ago

What you say is true to some point but in the end my FileZilla passwords are stolen, Firefox passwords are safe. FileZilla is like a sitting duck and this might be considered as a vulnurability. There is a point that is being missed out. I'm not giving the OS my passwords to keep, I'm giving FileZilla thinking that its safe.

Anyways, I have found a way to safely use FileZilla for the mean time, I believe that the developers will evantually develop a reasonable solition.

(As for my solution, to anyone interested, I encrypt the FileZilla files using a third party open source software (such as AxCrypt) while I'm not working with FileZilla, I decrypt the files before I start FileZilla. This is not totally safe since the files are still vulnurable while I'm running FileZilla but at least it's not a direct target, which I suspect the files are uploaded right after Windows gets infected. And I'm planning on moving to Linux, btw. the same vulnurability exists in Linux but at least Linux is not as risky as Windows.)

Note: See TracTickets for help on using tickets.