Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Security Encryption Open Source Software The Internet

User Forks FileZilla FTP Client After Getting Hacked (filezillasecure.com) 166

Slashdot reader Entropy98 writes: A frustrated FileZilla user took matters into his own hands after getting hacked due to the fact that his saved passwords were being saved in plain text files. Despite years of numerous requests over almost 10 years the FileZilla devs refused to add a Master Password option to encrypt the stored passwords. Finally fed up one user forked FileZilla and created FileZilla Secure with the Master Password option.
This discussion has been archived. No new comments can be posted.

User Forks FileZilla FTP Client After Getting Hacked

Comments Filter:
  • by Anonymous Coward on Sunday November 06, 2016 @11:38AM (#53223351)

    When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

    • They're not arrogant asshats. Simply put, these guys are the SNL tech rejects. They go around, snickering, somebody doesn't know the Master Password, before breaking out into song, until our chief protagonist, the Trinity wannabe/lookalike hacks into the file and sees the password in plain text.

      The project's been forked; Good news, everyone!

    • by SeaFox ( 739806 )

      When devs act like asshats and refuse to consider that just because you can still get at encrypted passwords doesn't mean it's not helpful to make the bar a little higher than reading plain fucking text.

      The same ones that tell you "patches welcome" for bug fixes or feature requests a large number of people desire? That seems to be the MO with many open source projects.

    • why didn't somebody fork it long before now?
  • Good deal (Score:5, Insightful)

    by JustAnotherOldGuy ( 4145623 ) on Sunday November 06, 2016 @11:39AM (#53223355)

    Now as long as those lazy bastards at FileZilla don't sue him, maybe this will be a nice step forward.

    As for you fucking clowns at FileZilla storing passwords in plain text files, what the fuck? Did you just teleport in from 1992 or something??

    • by Megane ( 129182 ) on Sunday November 06, 2016 @11:41AM (#53223371) Homepage
      They're just upholding the proud decades-long tradition of FTP putting everything in the clear.
  • by 0100010001010011 ( 652467 ) on Sunday November 06, 2016 @11:41AM (#53223367)

    How many OSS projects would benefit from:

    User demands feature.
    Devs refuse feature.
    User forks and adds feature.

    • But does this actually solve anything? OK, it is forked, and there are probably other forks as well. But I cannot use more than one at once, and the main devs doing the core work are still on the original branch, with a bunch of flakes who probably moved on years ago owning the forks. At the end of the day, it is probably not worth using any of these forks if you care about getting any possible updates to the main program.

    • It would help if this didn't take 10 years. If this is OSS working as it's should then it shows how inherently broken a system of relying on users to be able to change their own software is; most users are not software developers.

  • by Anonymous Coward

    If your system is already compromised by malware, won't it just capture your master password when you start Filezilla? This effort just seems to be adding a pointless layer for a software program that's has nowhere near the attack surface of a web browser.

    • by davecb ( 6526 )
      It's a defense in depth. If the attacker is a professional security service and has a key logger on your system, they can get anything, at the expense of having to grovel through everything you type for a day (;-))

      If they're a script kiddy and can only read files, though, you can stop them by having some selected files encrypted, or their contents encrypted. For example, /etc/shadow.

    • by Kobun ( 668169 )
      It's one step better than that - this page distributes malware-loaded Filezilla installers - https://filezilla-project.org/... [filezilla-project.org]

      So it's not at all unreasonable to think that Filezilla is 100% to blame here, for both the unencrypted password file and for the malware infection.
  • by Anonymous Coward

    It should just use whatever password manager is installed on the OS, like the gnome keyring or kde wallet manager

    • by cdrudge ( 68377 )

      The OS should do this... like the gnome keyring or kde wallet manager

      Interesting how you say that the OS should do this, then suggest two applications that aren't part of the OS.

  • by cjellibebi ( 645568 ) on Sunday November 06, 2016 @12:26PM (#53223577)

    Apparently, there's a bug in Microsoft's IIS server that causes corruption when attempting to resume large downloads. FileZilla does not take this into account, and as a result, the download is corrupted. Clearly, this is Microsoft's fault, but the situation is that there are many buggy IIS servers out there, and Filezilla, by not having a workaround for this (other FTP clients do have a workaround), ends up corrupting the download. After looking at this ticket [filezilla-project.org], it shows that the developer clearly does not live in the real world.

    Personally, this issue hasn't affected me, but the exchange I linked to tells me a lot about the attitude of the developer. I only even discovered this issue when reading about FileZilla.

    So is this fork going to address this issue?

    • the developer clearly does not live in the real world

      Maybe... he didn't reply for 18 months.

    • by Anonymous Coward

      Wow. I love how the developer of the client software is telling his users to upgrade the servers they're connecting to!

      That takes some real chutzpah.

      dom

    • by lucm ( 889690 ) on Sunday November 06, 2016 @01:38PM (#53223891)

      Thanks for posting that link, that ticket is pure gold. 7 years of arrogance make for a fascinating 5 minute read.

      The amount of time that developer spent arguing and reclosing that ticket could have been spent solving the problem, but instead he was proud of "making a stand" against a mainstream server product (IIS) that doesn't follow the standard. All he did was alienate users, including potentially me - I don't use Filezilla but moving forward if the need arises I'll choose anything else, I don't want code written by that aspie on my machine.

      It's always a red flag when someone starts using metaphors in a tech discussion, like this guy and his "bridge". Inevitably it leads to a metaphor contest ("no, the river is the protocol", "then the pillars are the implementation", "no, IIS is the truck crossing the river" etc etc). I have a policy of leaving meetings when the discussion gets to metaphors.

      People like that guy are not representative of open source developers, they're representative of *bad* open source developers.

      • by Kjella ( 173770 )

        On the other hand, I assume he's not getting paid for it. Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such. Particularly not a large, closed source corporation like Microsoft. Could you imagine Firefox trying to mimic IE6's rendering? I'd probably not bother with the long analogies though just mark it as WONTFIX, if someone offers

        a) a clean and working compatibility patch
        or
        b)

        • Doesn't matter what open source application it is, if it wasn't my itch to scratch I doubt I'd bother to fix someone else's botched implementation of file formats, protocols and such.

          So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet? If this was some edge case I'd agree with you, as a developer, especially someone working for free/fun you can't fix everything. But if you can't talk to IIS then frankly your website should feature a warning about how poorly your program works.

          It's not like people were asking for a perfect fix. Half of that thread was simply asking for so

          • by dbIII ( 701233 )

            So what you're saying is you're happy releasing and standing behind some software that is incompatible and useless for a large portion of popular servers on the internet?

            If it's a tiny one person project, why not?
            The thing may be popular but things like storing the password in plain text for any malware to read shows that it's a one person hobby project with far less than professional effort.

            • If it's a tiny one person project, why not?

              Well if that's the case then just say so. Instead you see an endless stream of the developer putting more effort into arrogantly arguing philosophy than required to fix the actual problems. Look through the bug tracker. This is not someone who's tight on time, but someone who just seem to be a user hating arsehole who can't stand the fact that people have a different view than his, even when that different view is taken up by most of his competitors.

              As always when you look at these individual stories it's

      • FTP is such an old protocol, after a while you have implemented it properly, and nothing will really change. One would think FileZilla is then pretty stable and won't see new builds often. But they apparently find time to spend on new features almost weekly. Instead of spending the time on bugs in the core point of the tool, namely doing file transfer which actually transfers the file, they spend time on random features in the UI and tacked on crap not needed for transferring files.

        • by lucm ( 889690 )

          Yes I just checked and there's an exciting new feature released a week ago:

          Tuned appearance of progress bar in transfer queue

          I know, I know, it's all done by volunteers, but why would someone spend time changing progress bars on a FTP client when basic security features (like encrypting passwords) are missing and when a significant problem with a mainstream FTP server has been reported for 7 years. If one's goal is improving a FTP client, this makes no sense, and if one is thrilled to do some fancy GUI stuff why on earth would that person contribute to a F

      • Indeed. Comment 31 aka Codesquid's Bridge [filezilla-project.org] is truly awesome:

        No, the engineer really did exist in another world. Not only was he incapable of understanding that a bridge costs more than a car or a truck, he didn't even understand that many people do not own the bridges they drive over. He even thought that customers would prefer his truck because it couldn't drive over this particular bridge.

        • by lucm ( 889690 )

          That would make an amazing t-shirt.

          I DROVE CODESQUID TRUCK ON A 7.5% BRIDGE AND I SURVIVED

    • by fnj ( 64210 )

      IIS server

      PIN number
      ATM machine
      nothing says "stupid" like redundant labeling

      • The S in IIS stands for services, not server.

      • nothing says "stupid" like redundant labeling
        You are mistaken.
        Nothing says "stupid" like being pedantic about such simple matters.
        Everyone, including scientists/biologists says HIV virus.
        Same for any other matter. It is "strictly speaking" wrong: but everyone uses language that way. Get over it and be done with it, you look extremely stupid to me, as you obviously don't now that. On the other hand you simply could be an autist, then it is forgivable.

      • by Trogre ( 513942 )

        Nothing says "useless pedantry" like mistakenly expanding acronyms inline.

        "Send me a GIF." "You want me to send you a format?"
        "Okay, how about a JPEG." "But I don't know the whole group personally."

  • by Anonymous Coward

    After reading that thread on the Filezilla forum I feel slightly sick in my stomach.

    That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.
    Don't store PLAIN TEXT passwords in your software, dummy!

    Seriously reaching black hole level density here buddy, shame on you...

    • That dev is one dense motherfucker, his only reply is "Yes but how did you get infected in the first place", as if that mattered in any way.

      It does ... would you trust crypto code commits from someone who got hacked from clicking a simple phishing email ?

      • Is that how he was hacked? I looked at several of the links but did not see that.
        codesquid seems to have a very well developed sense of what-he-is-prepared-to-do and what not, or "who cares what the users want because they are clueless?".

        I know someone who uses Filezilla but he is on a network which has no direct connection to the outside world. Probably the safest way.

        • Is that how he was hacked? I looked at several of the links but did not see that.

          No, I don't know how he was hacked. I was just painting a possible scenario.

      • by NotAPK ( 4529127 )

        I would.

        Doubly so considering that the tech for this patch already exists, and I must point out, *already exists* within other Mozilla packages! You know that thing in Thunderbird where the email client can save all of your email passwords and encrypt them using a single password? Well, doesn't it seem similar to that other thing in Firefox where the browser can save all your passwords and encrypt them using a single password? Right. So all the Filezilla devs had to do was take the same code and apply it to

      • by Anonymous Coward

        It wasn't a phishing email. It was a browser exploit that took the ftp login details from the unencrypted filezilla password and then uploaded itself to every page of every site of every server on the password list.

        This isn't the first time some malware targeted the filezilla password file. There's a reason chrome, Firefox, bitcoin, and others encrypt their master password file.

      • by hey! ( 33014 ) on Sunday November 06, 2016 @02:13PM (#53224035) Homepage Journal

        Everybody can get hacked eventually. A moment of distraction, a zero day exploit, a trusted partner or source getting undermined...

        If you think you are too smart to get hacked, you are a fool.

        Security is the one place where your very best effort ought to be the norm.

  • In fact, to make sure it's twice as secure, FileZilla double-encrypts all passwords with the ROT13 algorithm.
  • by Anonymous Coward

    Switch to WinSCP because it's better than FileZilla in every way.

  • by matbury ( 3458347 ) on Sunday November 06, 2016 @02:38PM (#53224145) Homepage

    ...but yes, not encrypting login credentials is a major concern for me too. Also, I prefer to use keys rather than passwords wherever possible but more often than not, Filezilla throws up a bunch of bugs that haven't been patched in a long time when I try to use them.

    So yes, the Filezilla devs really need to get their acts together on security.

    BTW, no Filezilla Secure available for Linux yet. Since Linux pretty well has encryption for all things web built in, it's tempting to give up on GUIs and simply do it all from the command line.

  • Great! I've been thinking about doing the same thing for some time now since the FileZilla Devs seem dead set about ignoring Segmented FTP. People have been requesting it for years and the devs are like 'eh, I don't need it so why would anyone else?'

    https://whatbox.ca/wiki/Multi-threaded_and_Segmented_FTP

    https://forum.filezilla-project.org/viewtopic.php?t=24720

    https://trac.filezilla-project.org/ticket/2309

    https://trac.filezilla-project.org/ticket/2762

    https://trac.filezilla-project.org/ticket/5526

  • Just don't use software with "zilla" in the name. With a name like that, it can't be serious.
  • Serves forked-because-of-security-enhancements download over HTTP instead of HTTPS even though certs are free via LetsEncrypt. SMH.

  • I've seen several comments shrugging shoulders over whether there is a better sftp client out there. As an instructor who teaches an introductory C++ on Linux course to students whose only previous experience has been in Windows, I have found that MobaXterm is much better than Filezilla or PuTTY.
    YMMV, etc., etc.

  • Why is this news? This is a standard open source practice, to fork and change/improve.

    Good work developer. Good use of Open Source.

  • I had to read the article to see, the hack was not due to a bug in filezilla. But this bug/missing feature made the other hack much more devastating. Once the malware infiltrated, it was coded to look for filezilla passwords and took advantage of that.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A cucumber is not a vegetable but a fruit.

Working...