Re: Filezilla a security risk

To: Andrei POPESCU <andreimpopescu@gmail.com>
Cc: debian-user@lists.debian.org
Subject: Re: Filezilla a security risk
From: francis picabia <fpicabia@gmail.com>
Date: Wed, 27 Jun 2012 20:58:39 -0300
Message-id: <[🔎] CA+AKB6FCyZ2CV+vE4WqLA_iZ65kdXj+qTc4JmEi5uFdphf6qNQ@mail.gmail.com>
In-reply-to: <[🔎] 20120627194632.GC4759@sid.nuvreauspam>
References: <[🔎] CA+AKB6E1FfRCNbV6PimAvdvUfoBKuo7rgLsbaCR_7tgtuZdw5A@mail.gmail.com> <[🔎] 20120627194632.GC4759@sid.nuvreauspam>

On Wed, Jun 27, 2012 at 4:46 PM, Andrei POPESCU
<andreimpopescu@gmail.com> wrote:
> On Mi, 27 iun 12, 16:26:48, francis picabia wrote:
>> I've just learned Filezilla is a security risk.  It stores saved
>> passwords and the last used password in a plain text file.
>
> As do many other programs.

Huh.  None that I run.  Perhaps your standards are, uh, different.

>> Malware commonly scoops up this info and hacks web sites
>> or shell accounts.
>
> Sure.
>
>> The developer refuses to incorporate a solution
>> such as master password and encryption into filezilla.
>
> It's his prerogative to decide what to do with his spare time :)

That, wasn't the point.  The point is, waiting for a solution upstream
isn't what we should do next.

>> His responses in numerous bug reports and feature requests are:
>>
>> 1. encryption: that's the file system's job
>> 2. don't get the malware in the first place
>>
>> In my opinion, people should avoid filezilla.
>
> Once your account has been compromised you must assume that any
> sensitive or confidential information accessible through that account
> has been compromised as well. Even if the passwords are stored encrypted
> on disc, at some point they have to be decrypted anyway, at which point
> they become vulnerable.
>
> Hope this explains,

If you read some of the discussions about this vulnerability, there
are many stories of
accounts being compromised.  I'm not talking theory, but something happening
right now on many systems.  The Filezilla application is popular, and therefore
a common target of malware.  As some of us have to guard systems which
have many users on them, this is of interest.  It isn't my account I'm
worried about.

We have to do what ever possible to reduce the size of the target to
the hacker.   In this case we advise users to uninstall Filezilla
and use something else.  Not all Windows users of FTP tools are IT savvy.
They need warnings and guidance frequently.  I passed this on so
others can reduce their threat potential.

Hope this explains...

Reply to:

Follow-Ups:
- Re: Filezilla a security risk
  - From: Steven Rosenberg <stevenhrosenberg@gmail.com>
- Re: Filezilla a security risk
  - From: Claudius Hubig <debian_1206@chubig.net>
- Re: Filezilla a security risk
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Re: Filezilla a security risk
  - From: Jon Dowland <jmtd@debian.org>

References:
- Filezilla a security risk
  - From: francis picabia <fpicabia@gmail.com>
- Re: Filezilla a security risk
  - From: Andrei POPESCU <andreimpopescu@gmail.com>

Prev by Date: Re: sshfs more like NFS (or vice-versa)
Next by Date: Re: Filezilla a security risk
Previous by thread: Re: Filezilla a security risk
Next by thread: Re: Filezilla a security risk
Index(es):
- Date
- Thread