Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Filezilla's silent caching of user's credentials
From: Charles Morris <cmorris () cs odu edu>
Date: Fri, 8 Oct 2010 09:21:14 -0400

On Thu, Oct 7, 2010 at 11:10 PM, Ryan Sears <rdsears () mtu edu> wrote:
Hi all,

As some of you may or may not be aware, the popular (and IMHO one of the best) FTP/SCP program Filezilla caches your 
credentials for every host you connect to, without either warning or ability to change this without editing an XML 
file. There have been quite a few bug and features requests filed, and they all get closed or rejected within a week 
or so. I also posted something in the developer forum inquiring about this, and received this response:

"I do not see any harm in storing credentials as long as the rest of your system is properly secure as it should be."


To me this is not only concerning, but also completely un-acceptable. The passwords all get stored in PLAIN TEXT 
within your %appdata% directory in an XML file. This is particularly dangerous in multi-user environments with local 
profiles, because as we all know physical access to a computer means it's elementary at best to acquire information 
off it. Permissions only work if your operating system chooses to respect them, not to mention how simple it is *even 
today* to maliciously get around windows networks using pass-the-hash along with network token manipulation 

I reported a similar issue in a certain SSH client a few years ago, it
was keeping the passphrase as cleartext in memory
for the duration of the session as well as an arbitrarily long period
after you disconnect but keep the window open.

They added protections like a simple encoding for the credentials
where they are stored, and nulling out the region
when you ended the session. They still wanted to keep the credentials
intact during the session in order to quickly
create new terminal windows.

This issue was much less serious than storing the cleartext in a file,
and they thought it appropriate to add protections.

I just wanted to gauge the FD community on this issue, because with enough backing and explanation from the security 
community as to why this is a problem, this issue may finally be resolved (it's been doing this for years now).

It IS an issue. Plain and simple.

That type of developer response really gets me.

Personally I won't be allowing Filezilla on any of my systems even if
they do eventually patch this issue..
who knows what else is lurking behind the scenes?


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]