I will admit i am an addict of FileZilla, it fulfills every single possible FTP need and it’s FREE. Anyways i have hundreds and hundreds of reasons for using FileZilla (if you want a full review, say so in the comments) but i wanted to dedicate this post to a major security concern regarding FileZilla.
When you use FileZilla to get access to an FTP site that requires a username and password, I would think it is important that no one should know these but you (unless you want people accessing the site) but apparently the developers of FileZilla don’t respect that because since FileZilla Version 18.104.22.168 the username and password along with their respective server addresses are stored in PLAIN TEXT which means anyone who has access to your PC at any time can know your password by opening the respective files:
filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – This stores the all recent server info including password when you do a “Quick connect”.
sitemanager.xml – Stores all saved sites server info including password in plaintext.
In filezilla.xml the format is:
The biggest concern is that the developer is aware of this security hole but is not willing to address it.
Before you say that this doesn’t concern you since you don’t share your PC with anyone and set high security measures on your operating system, you are still affected by this flaw because FileZilla will send the password in plain text without encrypting it, as a result any node on the route can see the password and possibly store it and use it later.
The operating systems affected are Windows and Linux (possibly Mac OS X)
That being said, I am not going to stop using FileZilla despite these security issues because it is one of the best if not THE best FTP client out there. However, make sure I regularly change my FTP passwords to protect myself.
Again, if you want a full review on the benefits of FileZilla, feel free to voice so in the comments along with what you think of the security issues discussed in this post