Comments on: Warning: FileZilla FTP Passwords now Stored in Plaintext

By: Keith

Keith — Fri, 20 Aug 2010 10:59:30 +0000

Got hacked on 15Aug2010, 50 sites on two servers.

Javascript from .ro attacked all types of index files as well as every .js in the servers.

There is no point in reporting this to the Filezilla forum because of their hostile and arrogant attitude.

I love Filezilla and have a solution – I installed Filezilla Portable from http://portableapps.com/apps/internet/filezilla_portable and it runs on a usb memory stick. No Filezilla files are copied to my windows machine.

Now simply plug in the stick when I have changes to make and remove it afterwards!

By: dizt3mp3r

dizt3mp3r — Thu, 03 Jun 2010 10:19:44 +0000

I was subject to some malware which has just taken the plain text passwords from sitemanager.xml. I am dismayed, each of the sites has been hacked but luckily only those listed in filezillas’s sitemanager. I had recently planned to convert all my sites from wsftp to filezilla and only the difficulty of transferring 60 or so sites had prevented me. I am now so thankful that I did not start the job! I am appalled at finding that filezilla stores passwords in plain text.

I have now removed filezilla from all my machines and ws ftp is now my default ftp client. The attitude of the developers is all wrong. They seem to think that we should not be using windows…a daft and pompous attitude to take. Filezilla on Windows could be the norm if only it worked properly.

My advice: do NOT install Filezilla. If you have it installed, remove it now, the security of your websites is seriously at risk.

By: Mazzy

Mazzy — Mon, 24 May 2010 19:11:59 +0000

I keep a fairly clean system and still had passwords for 2 clients sites stolen and their websites defaced with advertisements.

Now I keep my passwords in the only truly safe place left – my head. If the developer doesn’t want to do anything about this – fine. It’s his program he can do what he wants with it (and it’s a great program). I think informing people about this is a must however as many assume at least a basic level of encryption on these passwords.

By: Stephane

Stephane — Thu, 20 May 2010 08:31:54 +0000

Well you will not plan it until you got those kinds of virus taking this file to hack ftp servers. I got all my ftp servers hacked recently. It’s a very bad security policy.

By: T-bug

T-bug — Thu, 22 Apr 2010 22:07:08 +0000

The Filezilla developer has a seriously nasty attitude. Makes you wonder why he develops for the Windows platform at all as he is so abusive to anyone who uses it.

If you want your FTP accounts and websites hacked with Malware distribution bots, use Filezilla, by all means. Read the Filezilla forum on passwords stored in plain text XML files. The conversations and, in particular, the developer responses are hard to believe.

By: Álvaro Degives-Más

Álvaro Degives-Más — Mon, 19 Apr 2010 00:52:51 +0000

Oh I forgot to add that Windows 7 hasn’t changed the location for the Filezilla files compared to Vista, so the location for Windows 7 is (in case you want to update the post info) here:

Windows 7: “C:\Users\username\AppData\Roaming\FileZilla\”

By: Eddie

Eddie — Mon, 12 Apr 2010 22:19:45 +0000

One option, which does not solve the problem but does add an extra layer of security, is to apply windows encryption to the entire folder where the XML files are.

Yes, windows encryption has already been broken, so if you are truly concerned about security but LOVE Filezilla then you should to create a Truecrypt volume to store the XML files.

Of course if you are that paranoid you should also switch your SERVERS to SFTP or another secure FTP method.

By: Álvaro Degives-Más

Álvaro Degives-Más — Mon, 22 Mar 2010 07:16:50 +0000

Thanks for the info – I have a notebook that unwittingly became my failover after my desktop blew out badly. So I arrived here just to find out where those passwords are, and how to decrypt them… Needless to say I’m happy now.

+1 on keeping the pw in plaintext and where they are – if you’re in need of encryption, then go for a specific app like TrueCrypt. And leave the frou-frou and dancing bear additions to Microsoft.

By: sam

sam — Sat, 13 Feb 2010 18:46:32 +0000

I still use FileZilla frequently (which supports SFTP). I wrote this post only to inform of the potential security risk, I still think FileZilla is among the best FTP clients out there.

-Sam

By: WiredEarp

WiredEarp — Tue, 09 Feb 2010 22:33:27 +0000

Actually, I just came from the FileZilla website, and know what you mean. The admin there seems to be a real idiot (he actually suggests that everyone should spend an hour a day on their PC making sure its secure). Any encryption, even basic, is an improvement over plaintext (they could always leave in a plaintext option). I used to be a big FileZilla fan, but will no longer run it due to the password issue – that and the fact that I dont like supporting dickheads.