Warning: FileZilla FTP Passwords now Stored in Plaintext

FileZilla Plaintext PasswordsI feel that this should be brought to the attention of FileZilla users out there even though it may be a huge concern. (Lots of apps do this but potentially giving up FTP access info to a bunch of servers you are responsible for is something to be avoided). Jump to the Important Stuff

I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ 3.0.9.2+ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).

In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.

But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.

And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.

Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:

filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:

Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”

It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.

If you have further information regarding the subject, please comment.

Related resources:

Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html

FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)

http://www.reactive-software.com/filezilla-password-recovery.html

http://www.ianwootten.co.uk/2008/01/05/decrypting-filezilla-passwords-with-php/

53 thoughts on “Warning: FileZilla FTP Passwords now Stored in Plaintext

  1. sam Post author

    I got my hands on a Vista box, found the folder and added it to the list of directories above.

    Thanks, Sam

    Reply
  2. Pingback: Il blog di Gabriele Favrin » Archivio del blog » FileZilla3: come peggiorare un bel programma

  3. Billco

    I hate to burst your bubble, but FTP passwords are transmitted in plain text anyway, and filezilla is open source. Even if they did use weak encryption, it needs to be reversible by design, and the reversing code would be (and has been) freely available right in the source distribution. Actually, they could simply copy your XML files over their own Filezilla installation and connect using your credentials. If someone wants to get into your account, and they have access to your XML files, you’re screwed either way.

    What *should* be implemented is an option to not store the password, and have the application prompt for it when needed. FlashFXP does this, where if you leave the password box empty, it will pop up when you try to connect. It doesn’t get saved, and even if you reconnect during the same session, it prompts you again.

    That way, you can safely FTP from a public location without exposing your password. A person could still sniff the IP traffic, but that’s a bit more involved than merely copying a text file, and much harder to pull off without getting caught (unless you’re the sysadmin).

    Reply
    1. Daniel

      I know this is very old stuff, but still.
      Solution should be to be able to give a master password which wont be found on the source code of the app ;-)
      So every time you need to connect, only asks for the master password.
      Then if someone wants to steal your pass, can’t do it anymore trough reading files but network man in the middle kinda stuff, which is way more complicated.

      Reply
  4. sam Post author

    My bubble is in great shape – I’m well aware that FTP is plaintext and Filezilla is open source. My point is that it is now too easy to see passwords, simply glancing at a file in a text editor. You’ve got a point that someone could just copy the xml files over their own installation but the difference here is that anyone can read plaintext, it takes someone with some knowledge + effort to go beyond that.

    I’m not worried about the pros and the overeager who would sniff my network nearly as much as the junior script kiddies who would gladly slurp plaintext but shy away from some simple decoding.

    Optional password storage would make a lot of sense, it is a bit presumptuous although convenient to store recent logins.

    Reply
  5. Rick

    Personally, I’m glad the passwords are stored in plain text. I deal with a lot of ftp servers, and some accounts we’ve had for so long we (and the other sysadmins) have forgotten what the passwords were. I know, document stuff better, but people don’t. Plaintext passwords saved the day.

    I’ve recently switched from LeapFTP to FileZilla, and I don’t plan on switching to anything else for quite sometime. I had to use a password revealer to get my ftp accounts imported into FZ …

    I actually came here looking for the location of the xml files, because this morning I had to tell a client what account / password we were using to access their ftp server. Thanks for posting the location, as I seemed to be unable to locate them on my own. Windows Search failed me :(

    Reply
    1. Stephane

      Well you will not plan it until you got those kinds of virus taking this file to hack ftp servers. I got all my ftp servers hacked recently. It’s a very bad security policy.

      Reply
  6. Francois

    Yes, of course the FTP protocol do is transmission in plain text, but their is a difference between the theory and the real world.

    In the real world, my data collector will be happy to search and extract password from files that store them in plain text ( in every filezilla installation ) of the machines that I may hack.

    And nop, most people doesn’t encrypt their home directory. And a new password otften lead to new – higher – level of access.

    So yes, their is a big difference between putting a Man in the Middle attack that require to be at the good place at the good moment, and simply take a file and having access to the last X month of login history.

    “If you don’t trust your root, don’t use the system” -> what about: never trust anyone ?

    Reply
  7. Aaron Walkhouse

    I was just over at the FileZila site asking about this and a thorough read reveals that not only does the sole developer refuse to do anything to help, he actively stifles discussion of the matter after blaming everybody and everything else for the problem

    My recommendation is to remove FileZilla from your system if you are responsible over any web site because though you were a target for hackers before, you have just become a PREFERRED target because of the attitude and actions of Tim Kosse, the developer of FileZilla.

    Reply
    1. WiredEarp

      Actually, I just came from the FileZilla website, and know what you mean. The admin there seems to be a real idiot (he actually suggests that everyone should spend an hour a day on their PC making sure its secure). Any encryption, even basic, is an improvement over plaintext (they could always leave in a plaintext option). I used to be a big FileZilla fan, but will no longer run it due to the password issue – that and the fact that I dont like supporting dickheads.

      Reply
  8. Pingback: Cum am scapat de injectionul javascript <script>/*GNU GPL*/ try{window.onload

  9. Emilio

    That it is transmitted in plain text is a silly excuse if you ask me.

    IF the user wants to store the password then the application should do its best to protect the user and in this case it means to use reasonable encryption which is not rocket science anymore.

    Now anyone can just open the archive and steal your passwords, in fact malware and viruses steal passwords this way.

    Shameless omission! being open source is no excuse for laziness.

    Reply
  10. Siddharth

    Why not do what Firefox does and have a master password and use that to create a hash and key to decode the stored (encrypted) passwords?

    This is a major security risk and should be handled.

    Reply
  11. Paul

    I’ve just had 6 sites hacked due to this vulnerablity. I run all sorts of security measures on my PCs, but it was so easy for the malware to pick up the plain text host, user, and password info from the FileZilla xml file that it was sent to the hackers before I could even flick my WiFi switch off! Literally – I was stunned by how quickly it happened. Although the sites were hacked within 24hrs, luckily I spotted it before my sites were blacklisted as their hacks loaded the sites with malware.

    Read the FileZilla forums and see how their “admin” deals with such queries – quite frankly, the tone of his responses to their users would stop me using FileZilla even without this recent event!

    If you don’t want all your ftp account details to land up in the hands of some hacker who will ruin your websites, DON’T USE FILEZILLA – even if your machines are like Fort Knox!

    FileZilla’s “admin” response to users caught out in this way – “don’t use Windows”! Sorry?….I’m sure I was using the WINDOWS version of FileZilla? Really, I urge you to read their forums (search for encrypt and/or hacked) and you’ll soon see that FileZilla’s developers are not people whose software you would want to use.

    I wish I’d read your original post 10 days ago – it would’ve saved me SO much hassle and a stack of work changing accounts and loading site backups. Thanks for bringing it to others’ attention though! Please, please, please, heed these warnings – however “safe” you believe your machines to be!

    Paul

    Reply
  12. Andy

    If you’re using FTP in a public location, this is only one of your worries. If you administer the workstation, use the fzdefault.xml file in the /docs/ folder and change the kiosk mode parameter to 1 or 2 so that it doesn’t save this info.

    Additionally, you can use the fzdefault.xml file to tell FileZilla not to check for updates, which is usually a nuisance on a public machine anyway.

    Reply
  13. josh

    I too came to figure out where the passwords were stored. My passwords are very strong, and I sometimes forget them. Thanks for the tip. :)

    (FTP isn’t secure anyway, packet sniffing on wifi networks, many of which are wep, is easy enough. Use SCP if you want security.)

    Reply
  14. michael

    I keep waiting for someone to write a free, Windows-compatible FTP client that doesn’t suck, but I have yet to find one.

    Thanks for the heads up. I’m ditching FileZilla.

    Reply
  15. Jake

    First thanks UT for this post! I agree with all you said about Filezilla and the storage of passwords. This has woke me up and I’m evalutaing my whole password strategy.

    So what FTP program do you recommend for Windows?

    I would assume you recommend to start using SFTP?

    Reply
    1. sam Post author

      I still use FileZilla frequently (which supports SFTP). I wrote this post only to inform of the potential security risk, I still think FileZilla is among the best FTP clients out there.

      -Sam

      Reply
  16. Álvaro Degives-Más

    Thanks for the info – I have a notebook that unwittingly became my failover after my desktop blew out badly. So I arrived here just to find out where those passwords are, and how to decrypt them… Needless to say I’m happy now.

    +1 on keeping the pw in plaintext and where they are – if you’re in need of encryption, then go for a specific app like TrueCrypt. And leave the frou-frou and dancing bear additions to Microsoft.

    Reply
    1. Álvaro Degives-Más

      Oh I forgot to add that Windows 7 hasn’t changed the location for the Filezilla files compared to Vista, so the location for Windows 7 is (in case you want to update the post info) here:

      Windows 7: “C:\Users\username\AppData\Roaming\FileZilla\”

      Reply
  17. Eddie

    One option, which does not solve the problem but does add an extra layer of security, is to apply windows encryption to the entire folder where the XML files are.

    Yes, windows encryption has already been broken, so if you are truly concerned about security but LOVE Filezilla then you should to create a Truecrypt volume to store the XML files.

    Of course if you are that paranoid you should also switch your SERVERS to SFTP or another secure FTP method.

    Reply
  18. T-bug

    The Filezilla developer has a seriously nasty attitude. Makes you wonder why he develops for the Windows platform at all as he is so abusive to anyone who uses it.

    If you want your FTP accounts and websites hacked with Malware distribution bots, use Filezilla, by all means. Read the Filezilla forum on passwords stored in plain text XML files. The conversations and, in particular, the developer responses are hard to believe.

    Reply
  19. Mazzy

    I keep a fairly clean system and still had passwords for 2 clients sites stolen and their websites defaced with advertisements.

    Now I keep my passwords in the only truly safe place left – my head. If the developer doesn’t want to do anything about this – fine. It’s his program he can do what he wants with it (and it’s a great program). I think informing people about this is a must however as many assume at least a basic level of encryption on these passwords.

    Reply
  20. dizt3mp3r

    I was subject to some malware which has just taken the plain text passwords from sitemanager.xml. I am dismayed, each of the sites has been hacked but luckily only those listed in filezillas’s sitemanager. I had recently planned to convert all my sites from wsftp to filezilla and only the difficulty of transferring 60 or so sites had prevented me. I am now so thankful that I did not start the job! I am appalled at finding that filezilla stores passwords in plain text.

    I have now removed filezilla from all my machines and ws ftp is now my default ftp client. The attitude of the developers is all wrong. They seem to think that we should not be using windows…a daft and pompous attitude to take. Filezilla on Windows could be the norm if only it worked properly.

    My advice: do NOT install Filezilla. If you have it installed, remove it now, the security of your websites is seriously at risk.

    Reply
  21. Keith

    Got hacked on 15Aug2010, 50 sites on two servers.

    Javascript from .ro attacked all types of index files as well as every .js in the servers.

    There is no point in reporting this to the Filezilla forum because of their hostile and arrogant attitude.

    I love Filezilla and have a solution – I installed Filezilla Portable from http://portableapps.com/apps/internet/filezilla_portable and it runs on a usb memory stick. No Filezilla files are copied to my windows machine.

    Now simply plug in the stick when I have changes to make and remove it afterwards!

    Reply
    1. kamal

      you funny :) , then when you connect your usb they steal it by script who search about this file in all devices machine and usb . so it doesnt help . you are at risk when you connect your usb

      Reply
  22. Pingback: AnA Blog » FileZilla password recovery

  23. Dilip Gupta

    Hey Boddy….

    I am using win2k server. I have searched the files u mention but unable to get the files filezilla.xml. Can u any one please suggest me to get store ftp server pawword to retreave from filezilla firefox.

    Regards
    Dilip Gupta

    Reply
  24. shreya

    Hello,
    I usually access confidential data as a part of my job.
    But once i had accessed an FTP site using FireFTP using mozilla firefox on someone else’s machine with remember password enabled. But later I deleted that account. Is there any possibility of recovering that account by that person, & which are the locations where the password for that account can be stored.
    I am really worried because this can lead to huge loss. Please help, Its very urgent so that i can take some action.

    Reply
  25. Pingback: At Least Take Me to Dinner First | An Utter Waste of Time

  26. Anonymous

    Awww fail security experts are fail.

    Anything else with a save password box is just as big a risk you tools.

    Complaining about getting your ftp password is like complaining about getting the clap from your $5 hooker.

    Reply
  27. Pingback: Το Filezilla και τα passwords « Stories of the web

  28. Guest

    (For all those being really indignant here)

    Serious dudes,
    1. If you did not know this, go do your homework. Also, you, and only you are responsible for securing your box. Don’t blame the devs of Filezilla for your lack of knowledge. Filezilla is one of the best FTP clients. If you are not satisfied with a feature go help them! Grow up, stop screaming like a little child, and do some work! (I guess you won’t put in some effort yourself do you?)

    2. As Emilio indeed correctly said: FTP passwords get send in plain text, so if you do not use SFTP or SCP it does not matter if you encrypt the xml file or not. Do you know the concept of security through obscurity? Well this is a great example of it. I would worry first about using SFTP or SCP (or read the php ftp manual and hack up something yourself) before worrying about your plain text password file. If someone has access to your system you are screwed anyway. Don’t blame others because you don’t know shit.

    3. Look for a solution first: e.g. Evrim wrote a nice article about this: http://www.evrim-sen.com/html/filezilla-password-protection.htm

    4. Be constructive please, go find a solution, and put it up online for others to use, just like Evrim did. (eg. you could use keepass, double click the password of your ftp entry, paste it in the password field when FileZilla asks for it. Keepass clears yours clipboard after 12 seconds, and your passwords are stored safely, and encrypted.)(I see Aidan also put this solution in his comment, but there are many other ways you can secure a plain text file.)

    5. @Keith saying “I was subject to some malware which has just taken the plain text passwords from sitemanager.xml”. Dude how did you get that malware on your (secure) system in the first place? Oh really, you downloaded some (cracked) stuff for personal use on the system that should have been secure, really??

    6. @Michael saying “I keep waiting for someone to write a free, Windows-compatible FTP client that doesn’t suck, but I have yet to find one. Thanks for the heads up. I’m ditching FileZilla.” Michael FileZilla does not suck, you are the one that has a lack of knowledge, you should blame yourself.

    7. @dizt3mp3r saying “My advice: do NOT install Filezilla. If you have it installed, remove it now, the security of your websites is seriously at risk.” I would never take advice from somebody who does not know what he is talking about. I also would not give advice if I did not know what I was talking about myself. The security of your websites are also not at risk, because of FileZilla, but they are because of you not knowing what you are doing. If you would know, you would not giving such advice.

    8. @anonymous saying “Awww fail security experts are fail… you tools.” …exactly what I thought..

    ====
    Sigh….

    Reply
  29. Steve T

    So, let me get this straight, you’re really concerned that a password is stored in plain text on the file system. Wouldn’t it be more of a security problem is someone could get to this area? The Filezilla password would be the least of your problems.

    Reply
  30. dizt3mp3r

    There are some real twits here not listening but feeling free to comment – Bart.

    Let me explain – I am a system administrator going back to 1986. So, I reckon I know what i am talking about.

    There is no question about it, this one flaw in filezilla is enough for any potential user to drop the program like hot cakes, immediately. It is almost acting as a trojan allowing any hacker to access your sites as long as they can access your PC. Hackers are incredibly clever and resourceful and I know for a fact that they see filezilla as an open resource for harvesting passwords en masse.

    Avoid it.

    Reply
  31. Jonas

    Thanks for your info. I forgot about my FTP password, but now I can recover it.

    Sometime plain text is not bad

    Reply
    1. overpopulation

      And the best part is that now

      i can also recover YOUR password

      sometime YOUR plain text is not bad FOR ME

      Reply
  32. Maris Mols

    Hi,

    Just to let you know. My websites have been hacked into and I strongly suspect that they got my passwords from FileZilla xml file. They kept hacking my websites even after I changed passwords. FileZilla is the client I use, and Im gonna drop it immediately.

    I was wodering how they are able to get into servers, and now I know.

    Reply
  33. RRR

    Keeping password in plain text is the only feature I am seriously considering to drop Filezilla all together. I still somewhat understand the point of FTP being clear text hence the password is in clear text. But even this is stupid IMHO. Master password or simple encryption would be sufficient.
    But common, what is the reason to keep SFTP and FTPS passwords in clear text? Just simply bad decision.

    Reply
  34. Digital

    For some time I really liked FileZilla because it was great to use and no problem to get lost passwords back. But then few of my pages got seriously hacked ( well, actually r*ped). Different hosts, passwords weren’t saved or written anyplace else. So I came to this security issue and for last years I use Winscp.

    What I’m really bugged about is that in overall Filezilla is really good tool. But since 2008 (first serious topic about this in Filezilla forum) they haven’t added ability to encrypt passwords. But in time when websites are being hacked more than ever, you just can’t have plain text login data.

    Reply
  35. Michel

    I see its possible too encrypt it …

    I use in the most cases total commander as ftp client and they store the configuration like this

    [connections]
    1=br
    default=name
    [br]
    host=domain-name
    username=username
    password=579AD3939FFF6BA0DA7795E00E5C276F91476CD08DC3FFDAFEE0
    pasvmode=0
    MLSD=-1
    [default]
    pasvmode=0

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>