Opened 10 years ago

Last modified 6 years ago

#5371 reopened Bug report

Password is publicly displayed on export

Reported by: Tyron Owned by: Atul Jha
Priority: low Component: FileZilla Client
Keywords: password, export Cc:
Component version: Operating system type: Linux
Operating system version: Ubuntu 10.04

Description

If I export my connections list, which have some passwords stored, the XML generated has the passwords publicly displayed. I think there should be, at least, an obfuscation on that, since its easy to find out someones' password (which is obfuscated in the program) just by exporting its connections and looking through the XML.

Change History (16)

comment:1 Changed 10 years ago by Tim Kosse

Resolution: rejected
Status: newclosed

Obfuscation won't be implemented as it offers no additional security.

The real question is, how comes somebody else has access to your private data in the first place?

comment:2 Changed 10 years ago by Tyron

Priority: highcritical
Resolution: rejected
Status: closedreopened

Well, I'm afraid to tell that I think this question is still valid, and it can be a huge difference for people who is concerned about their security to choose wheter use FileZilla or not.

Assume that your are working on your notebook in your office, in which you have all your particular sites stored (which is perfectly possible if you are a freelancer). Then, you need to go to the toilet and forgets to lock your PC!

In other softwares where your password is kept stored, such as email applications, if anyone tries to check your messages in the meanwhile, the person will stop doing this as soon as you get back to your PC, as he won't have your passwords. On the other hand, if he finds the password of your sites, it can save to a pendrive, and take a look at them with no hurry, as it can be made on his PC. Then, he'll be able to see your files, your security holes, your DB's user and password.

Maybe obfuscation won't offer additional security. In that case, make the passwords not-exportable! Simple as that!

comment:3 Changed 10 years ago by Tim Kosse

Priority: criticallow
Resolution: rejected
Status: reopenedclosed

Then, you need to go to the toilet and forgets to lock your PC!

It's the equivalent of leaving your home without locking the door. Even if you would store everything inside your home in nice little safes, the burglar would just install cameras so that he will get your combination when you open your safe the next time.

comment:4 Changed 10 years ago by Tyron

Well, I see that this discussion is pointless...

the burglar would just install cameras so that he will get your combination when you open your safe the next time.

I think I would notice some cameras in my home that I didn't install. That's the point... Exporting passwords is a completely untraceable i.e. you'll never find out someone may be accessing your files.

If I am that wrong, just answer me: why you can't you recover yours Outlook's or Thunderbird's accounts passwords, even if you export your settings? Why does Google requires that you reenter your password before entering the Account Setting's Page, even if you have just authenticated? (Try entering in your Gmail, and then point your browser to https://www.google.com/dashboard/. What happens?!).

Not exporting the passwords is the best way out of this problem. Unfortunately, it seems that this solution is not even considered by the team. Such a pity.

comment:5 Changed 9 years ago by Rojanu

Resolution: rejected
Status: closedreopened

Having passwords in plain text doesn't help at all, I am having difficulty understanding your attitude on this issue. It is clearly a user requirement and an additional barrier for people who are trying to get to user passwords, one way or the other.

In Bug http://trac.filezilla-project.org/ticket/3226, the comment suggest that the client never hashed the passwords but in FZ2 they weren't plain text either.

I even come across some site advising people on this security issue

http://www.tech-evangelist.com/2009/06/08/filezilla-alert-trojan-virus/?PHPSESSID=a8df8463581cb0cfaaf6a358efe88fc9

http://www.tech-evangelist.com/2009/05/09/backup-filezilla-settings/

http://www.icpep.org/filezilla-saved-passwords/

Please fix this bug/introduce a new feature.

comment:8 Changed 8 years ago by Fred Lange

I'm surprised how Filezilla stores passwords locally, which is very unsecure. This is why I switched to WinSCP and use SFTP for all file transfers on a client's mma training website.

comment:9 Changed 8 years ago by semeichaclxew

Hi. Can you help me? In that case, make the passwords not-exportable! Simple as that!
Semeicha @ no fax payday loan

comment:10 Changed 8 years ago by rguglerii

Not exporting the passwords is the best way out of this problem. Unfortunately, it seems that this solution is not even considered by the team. Such a pity.
Venice @ Cash advances loans.

comment:11 Changed 8 years ago by Dino

Today, get a loan in 1 hour, but we need to know how to get better commercial mortgage rates. With deception on the part of banks. I take from this site
I hope I helped you!

comment:12 Changed 8 years ago by Dino

We help to quit smoking. Lets do it with us

comment:13 Changed 7 years ago by Atul Jha

Owner: set to Atul Jha
Status: reopenedassigned

comment:14 Changed 7 years ago by Atul Jha

Resolution: rejected
Status: assignedclosed

comment:15 Changed 7 years ago by Atul Jha

Resolution: rejected
Status: closedreopened

comment:16 Changed 7 years ago by Atul Jha

Resolution: outdated
Status: reopenedclosed

comment:17 Changed 7 years ago by Atul Jha

Resolution: outdated
Status: closedreopened

comment:18 in reply to:  8 Changed 7 years ago by Eva

I am happy that this bug is now fixed, Filezilla is awesome! Always was and always will be. Thanks to the staff for the awesome work they are doing.
Dave @ jak poderwac dziewczynę

Note: See TracTickets for help on using tickets.