Full Disclosure: Re: Filezilla's silent caching of user's credentials

[Charles Morris <cmorris () cs odu edu>]

On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears () mtu edu> wrote:
> Hi all,
>
> As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your 
> credentials for every host you connect to, without either warning or ability to change this without editing an XML 
> file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week 
> or so. I also posted something in the developer forum inquiring about this, and received this response:
>
> "I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be."
>
> Source:(http://forum.filezilla-project.org/viewtopic.php?f=3&t=17932)
>
> To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT 
> within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local 
> profiles, because as we all know physical access to a computer means it's elementary at best to acquire information 
> off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even 
> today* to maliciously get around windows networks using pass-the-hash along with network token manipulation 
> techniques.
I reported a similar issue in a certain SSH client a few years ago, it
was keeping the passphrase as cleartext in memory
for the duration of the session as well as an arbitrarily long period
after you disconnect but keep the window open.

They added protections like a simple encoding for the credentials
where they are stored, and nulling out the region
when you ended the session. They still wanted to keep the credentials
intact during the session in order to quickly
create new terminal windows.

This issue was much less serious than storing the cleartext in a file,
and they thought it appropriate to add protections.

> I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security 
> community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now).
It IS an issue. Plain and simple.

That type of developer response really gets me.

Personally I won't be allowing Filezilla on any of my systems even if
they do eventually patch this issue..
who knows what else is lurking behind the scenes?

Cheers,
Charles

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/