Opened 12 years ago
Closed 10 years ago
#8237 closed Bug report (duplicate)
Encrypt passwords
| Reported by: | ftpuserd | Owned by: | |
|---|---|---|---|
| Priority: | critical | Component: | FileZilla Client |
| Keywords: | password encrypt security | Cc: | yerenkov.scott@… |
| Component version: | Operating system type: | Windows | |
| Operating system version: | All |
Description
Just found out about this due to a recurrent series of website hacks which seem on investigation to be to this error.
It's really lax. Even if FZ is not being used at the time, any virus or malware can scoop up the ftp addresses, usernames and passwords.
I have been recommending FZ for years, but I am now putting out an advisory to stop using it as a matter of urgency. For those using it to manage a lot of sites, a single infection on a client machine could trigger weeks of server clean-up work.
And I'm frankly shocked by the developer's response to tickets and forum posts on this over the years. It borders on negligence for such an otherwise excellent tool.
Change History (3)
comment:1 by , 12 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 by , 10 years ago
| Cc: | added |
|---|---|
| Resolution: | fixed |
| Status: | closed → reopened |
This is definitely a major weakness in the software, and the issue is not resolved if I am able to go into "%appdata%\FileZilla\sitemanager.xml" and get this sort of information (I typed in some random information into the Site Manager in the GUI of FileZilla and this file was generated with all of the information completely in plain text):
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<FileZilla3>
<Servers>
<Server>
<Host>123</Host>
<Port>27</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>123</User>
<Pass>123asdASD</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
<Name>New site</Name>
<Comments />
<LocalDir />
<RemoteDir />
<SyncBrowsing>0</SyncBrowsing>New site
</Server>
</Servers>
</FileZilla3>
--
I am sure that there is a very simple solution to this, such as encrypting it and then storing the encryption key (protected by the user's username and password) on the site in their account. Or to offer the ability at least to pay for some space to store keys on the site. And even if storing on the site would be a bad idea, at least offering encryption and then giving an encryption key to maybe be stored on a USB stick or something.
comment:3 by , 10 years ago
| Resolution: | → duplicate |
|---|---|
| Status: | reopened → closed |
This is a duplicate of either ticket:5530 or ticket:8173, depending on the facility used for encryption.
Hey son! If it would be a security issue, you should be able do decrypt the password below.
01c4480691de06bd5a279e36057217a5