August 1, 2010
Users of the popular FileZilla FTP client take note: FileZilla saves all your FTP passwords in plaintext (unencrypted) on your computer. Anyone who knows the right directory to look in (e.g. C:\Users\JoeDoe\AppData\Roaming\FileZilla) can steal all your saved logins with the click of a mouse. Worse yet, malware can scoop those logins up – compromising every site to which you have FTP access. And yes, malware has been written to do just that.
An obvious solution: don't store logins in the FileZilla Site Manager. Be aware, however, that the login details of any sites in your FileZilla Quick Connect bar are also stored in plaintext.
Not storing logins is no solution, however, for anyone who has to manage more than a handful of sites. A web administrator with 30 sites to manage, all of which have (or should have) strong passwords, can’t reasonably be expected either to remember or to look up those passwords at each login.
A master password is clearly the way to go here. You might implement a master password by password protecting the directory in which those login details are saved. Alternatively, you might dump FileZilla in favour of an FTP client (e.g. WinSCP) that comes with master password functionality.
And if you think that the above warning doesn't apply to you because you use an FTP client other than FileZilla, think again. Malware writers can reverse engineer any system for hiding logins that doesn't make use of some sort of master password.
The bottom line: You need to use a master password to protect any stored FTP logins. I won’t comment on the relative merits of the two solutions I've mentioned above, as I haven’t the time to investigate them to any depth. But I urge users of FileZilla – or any other FTP client – to ensure that they have closed down this vulnerability.