I will admit i am an addict of FileZilla, it fulfills every single possible FTP need and it’s FREE. Anyways i have hundreds and hundreds of reasons for using FileZilla (if you want a full review, say so in the comments) but i wanted to dedicate this post to a major security concern regarding FileZilla.
The Problem
When you use FileZilla to get access to an FTP site that requires a username and password, I would think it is important that no one should know these but you (unless you want people accessing the site) but apparently the developers of FileZilla don’t respect that because since FileZilla Version 3.0.9.2 the username and password along with their respective server addresses are stored in PLAIN TEXT which means anyone who has access to your PC at any time can know your password by opening the respective files:
filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – This stores the all recent server info including password when you do a “Quick connect”.
sitemanager.xml – Stores all saved sites server info including password in plaintext.
In filezilla.xml the format is:
<LastServer>
<Host>ftpaddress</Host>
<Port>21</Port>
<Protocol>0</Protocol>
<Type>0</Type>
<User>theuser</User>
<Pass>password</Pass>
<Logontype>1</Logontype>
<TimezoneOffset>0</TimezoneOffset>
<PasvMode>MODE_DEFAULT</PasvMode>
<MaximumMultipleConnections>0</MaximumMultipleConnections>
<EncodingType>Auto</EncodingType>
<BypassProxy>0</BypassProxy>
</LastServer>
The biggest concern is that the developer is aware of this security hole but is not willing to address it.
Before you say that this doesn’t concern you since you don’t share your PC with anyone and set high security measures on your operating system, you are still affected by this flaw because FileZilla will send the password in plain text without encrypting it, as a result any node on the route can see the password and possibly store it and use it later.
The operating systems affected are Windows and Linux (possibly Mac OS X)
Outcome/Conclusion
That being said, I am not going to stop using FileZilla despite these security issues because it is one of the best if not THE best FTP client out there. However, make sure I regularly change my FTP passwords to protect myself.
Again, if you want a full review on the benefits of FileZilla, feel free to voice so in the comments along with what you think of the security issues discussed in this post
._. I can see why this can be concerning. Why can’t there be some sort of complaint to the site that the passwords aren’t secure enough. Why risk you password being known. I know it offers a great service but, if your password isn’t secure other things other than your firezilla account can be at risk.
Thx for this article. Very good.
Hi, thanks for this. Unlike you, I just uninstalled FileZilla for this specific reason. Somehow my PC caught a virus/trojan which I was easily able extinguish, no big deal. But very shortly after, almost all of my and my clients sites got hacked. The first one only minutes after I noticed the infection. The only explanation I found was that passwords were taken from FileZilla and sent “somewhere”. I had stored ftp passwords elsewhere, too, but only a few.
Today I had a chat with one of my hosters, who confirmed the FileZilla security issue. He gave me a whole list of ftp clients that are “safe” (master password, e.g.). Unless you catch a keylogger, of course. But even a keylogger will only be able to log one password after another, not ALL AT ONCE.
I have used FileZilla for many years, and I thank the developers for it. But I have no understanding at all for denying this problem (denying aggressively for years, read their forum … one of the developers at one point announced to give up even obfuscation – “thank you”, says the hacker, “for saving a couple of hours of my time”).
As I unfortunately only now know, after having lost several days cleaning up the mess, storing passwords in FileZilla means inviting desaster. Fellow web developers, be warned. And have fun, otherwise …
Talking security. And privacy. I was totally surprised so see my photo on your site after I posted. Gravatar. I only opened an account last week, and now I find out, whatever I enter there is public, to be seen and used by anyone. No control whatsoever. Next step: trying to close the account > read the faq: NOT POSSIBLE. Dear Timour, if you’re serious about security, please don’t use Gravatar. Ok. WordPress and gravatar is owned by the same corporation. Learning a bit every day … There you go.
I’ve been thankful of this fact to be able to recover saved password before, but having a master password for the site manager would be a good addition to address this concern. Just a reminder though, if you’re using plain FTP your passwords are being transmitted over the net in plain text.
We want to use Filezilla at our office of sharing files, and i wanted to know if it is really safe?
is there any way we can manually encrypt the passwords?