Slashdot Mirror

← Back to Stories (view on slashdot.org)

User Forks FileZilla FTP Client After Getting Hacked (filezillasecure.com)

Posted by EditorDavid on from the transfer-complete dept.

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.

9 of 166 comments (clear)

  1. This stuff drives me nuts by Anonymous Coward · · Score: 5, Insightful

    When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

    1. Re:This stuff drives me nuts by BenFranske · · Score: 4, Informative

      Filezilla also supports SFTP and FTPS though and is probably the best Windows client for those protocols so it's used for a lot more than just FTP. In fact, I would venture to guess that Filezilla FTP use is pretty minimal.

    2. Re:This stuff drives me nuts by BenFranske · · Score: 4, Insightful

      A) I would guess Filezilla is used much more as an SFTP and FTPS client (is there a better one on Windows?) than as an FTP client.

      B & C could apply to SSH clients such as PuTTY as well, so we should stop using that?

      If we only implemented security enhancements when they were perfect solutions we wouldn't implement very much security. Usually there is a balancing act between usability, security, and cost. In this case there seems to be very little usability impact on encrypting the password store so why not do it?

      All that said I'm pretty particular about what software can hold passwords of mine so I've always typed them in to Filezilla on an as needed basis, seems as if that was a good idea.

    3. Re:This stuff drives me nuts by wolrahnaes · · Score: 4, Interesting

      When someone can read your passwords of your disk, the point of encryption is already moot.

      No, encrypting the password database with a master password that's not saved means it can no longer be read directly, significantly raising the bar for capturing passwords.

      A) FTP is typically plain text anyway so you could just wireshark it

      Depending on user privileges this may not be possible, and would only gather one at a time.

      B) you can replace the binaries and have them emailed any time they are entered

      Depending on user privileges this may not be possible.

      C) you can install a keylogger

      See B

      This "user" could've just as easy encrypted his entire hard drive or user directory. Still wouldn't have helped though.

      No shit that wouldn't have helped, as long as the drive's mounted the file is plaintext as far as the malware is concerned.

      I would seriously reconsider taking a "secure" anything from anyone that can't bother to think their own security through.

      Clearly you're not capable of thinking through security yourself.

      Let's say I'm shithoused and inadvertently run some kind of malware that wants to steal my FTP passwords. I realize what I've done almost immediately after and shut down to restore from backups. If they're stored unencrypted, that malware could have already sent my full stored password list to wherever. If they're encrypted with a master password, the malware gets absolutely nothing. Even if I don't catch it immediately the malware still can't get it no matter what until I actually go to use those passwords.

      If you can't see how huge of a difference that is I don't know what to say.

      --
      I used to get high on life, but I developed a tolerance. Now I need something stronger.
  2. Good deal by JustAnotherOldGuy · · Score: 5, Insightful

    Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

    As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:Good deal by Megane · · Score: 5, Funny

      They're just upholding the proud decades-long tradition of FTP putting everything in the clear.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  3. OSS working as it should. by 0100010001010011 · · Score: 5, Insightful

    How many OSS projects would benefit from:

    User demands feature.
    Devs refuse feature.
    User forks and adds feature.

  4. Re:Not "Secure" by Dwedit · · Score: 5, Informative

    Filezilla is a client for FTP, SFTP (SSH File Transfer Protocol), and FTP over TLS. Only one of those three uses cleartext passwords over the network.

  5. IIS Server resume bug by cjellibebi · · Score: 5, Interesting

    Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket, it shows that the developer clearly does not live in the real world.

    Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

    So is this fork going to address this issue?