BOOBS!

Yeah, that’s my Twitter avatar (and my Twitter username is embeded in the img tags’ title and alt attributes – making it viewable on hover) and yours could show up next.

This is a total breech of privacy, now everyone gets the chance to jump to conclusions and think I’m a freakin’ pervert – just because I viewed an image (which could have been from a link, with me having no prior knowledge of the the contents).

So TweetPhoto’s recently viewed feature is cute and all but MAYBE EVERYONE DOESN’T WANT TO BE TRACKED?

The fact that there isn’t even a setting to turn off user tracking is even worse, did they not realize that people like anonymity?

Just thought I’d share this great “feature” before someones wife accuses them of cheating or something even cooler.

Have a super day!

I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ 3.0.9.2+ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).

In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.

But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.

And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.

Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:

filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:

Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”

It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.

If you have further information regarding the subject, please comment.

Related resources:

Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html

FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)

http://www.reactive-software.com/filezilla-password-recovery.html

http://www.ianwootten.co.uk/2008/01/05/decrypting-filezilla-passwords-with-php/