On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:
On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
I've just learned Filezilla is a security risk. It stores saved
passwords and the last used password in a plain text file.
As do many other programs.
Huh. None that I run. Perhaps your standards are, uh, different.
Malware commonly scoops up this info and hacks web sites
or shell accounts.
Sure.
The developer refuses to incorporate a solution
such as master password and encryption into filezilla.
It's his prerogative to decide what to do with his spare time :)
That, wasn't the point. The point is, waiting for a solution upstream
isn't what we should do next.
His responses in numerous bug reports and feature requests are:
1. encryption: that's the file system's job
2. don't get the malware in the first place
In my opinion, people should avoid filezilla.
Once your account has been compromised you must assume that any
sensitive or confidential information accessible through that account
has been compromised as well. Even if the passwords are stored encrypted
on disc, at some point they have to be decrypted anyway, at which point
they become vulnerable.
Hope this explains,
If you read some of the discussions about this vulnerability, there
are many stories of
accounts being compromised. I'm not talking theory, but something happening
right now on many systems. The Filezilla application is popular, and therefore
a common target of malware. As some of us have to guard systems which
have many users on them, this is of interest. It isn't my account I'm
worried about.
We have to do what ever possible to reduce the size of the target to
the hacker. In this case we advise users to uninstall Filezilla
and use something else. Not all Windows users of FTP tools are IT savvy.
They need warnings and guidance frequently. I passed this on so
others can reduce their threat potential.
Hope this explains...