A developer that had his sites hacked because the FileZilla FTP client stores passwords on disk in cleartext has taken things into his own hands and has put together FileZilla Secure, a FileZilla version that encrypts all the user’s credentials with a master password.
Launched this past week, FileZilla Secure is a fork of the FileZilla 3.18.0 client that uses a more secure method of storing user passwords on disk.
Its developer, a man that goes by the name of fzss and dns4lyfe (on Reddit), says the reason he chose to create the application was because he was the victim of a malware infection.
FileZilla devs refused to support password encryption
He says that while surfing the web, he accessed a web page where a browser exploit almost instantly installed malware on his PC that collected sensitive files, including his FileZilla passwords, which were stored on disk in plaintext.
Fzss says the unknown malware author had used the FileZilla credentials to hack into all his sites and install malware. In one single day, all of his sites were infected with malware, and Google had blacklisted all his previous work.
After spending more than a week cleaning out after the malware infection, fzss was again disappointed when he found out that other users had complained of FileZilla’s “plaintext password” weakness to site admins, going as back as 2007, nine years before. Despite all this, FileZilla’s developers refused to support a password encryption feature, and even issuing the mind-boggling advice that users not store any passwords in their client, if they want to be secure.
That’s when fzss forked FileZilla, and after a few months in development and testing, the app is now ready for mass distribution.
The developer says that future plans include updating FileZilla Secure to use the latest version of the FileZilla client, which is 188.8.131.52, at the time of writing.
Other applications such as Firefox, Chrome, and several Bitcoin clients also use encryption or a master password system to protect user data saved on disk, which is often the target of infostealers, password dumpers or RATs.
FileZilla Secure is available for download via its homepage, for Mac, Linux, and Windows (32-bit and 64-bit, also in portable format). The source code is also available if suspicious users want to review it. Just like the original FileZilla, FileZilla Secure is available under an open source license.