HostOnNet Blog

FIleZilla FTP Software Is Insecure

I was checking through the MetaSploit framework, i found the exploit to hack FileZilla.

FileZilla store passwords in pain text in XML file. This was the same for years. I thought they had fixed it long back. I have not used FileZilla for long, i know clients getting hacked using FileZilla FTP client. I use FlashFXP FTP client when i am on Windows, it have a master password, that will encrypt the passwords. So even if your PC is infected, hacker won’t get passwords of all your web sites.

Here is an interesting post by a FileZilla user

It has happended to me. Tuesday this week my cell phone rang but I couldn’t pick it up that moment. When I checked to see who called me, I saw the number of my business partner on the display. He almost never calls me. I thought it was about our tax declaration being due, so I didn’t call back because I didn’t feel like talking about this topic. I then drove to my office.

In my inbox there was an email by our web host. It said something about suspected malware on our web space, which my business partner had reported. So that was why he tried to reach me… They said they could find any problem on our web space but asked me to check it anyway. So I did…

I first went to the web site presenting one of our products. Within seconds, my anti virus software bombared me with malware alerts and an unwanted file loaded itself down to my desktop. I downloaded the index.htm file using FileZilla to see what was going on. There was a block of cryptic code in it. And not only there, but in every HTML file of that web site! I reported to our web host that the site was obviously totally infected with malware. So much for them not finding a problem with it. But that’s a different thing.

Next web site I checked was our company web site: Same thing, malware all over. Meanwhile I answered some emails by upset customers reporting the issue. I also informed my business partner that I was already about to fix everything. We are also running a web forum for our products. Needless to say it was infect too, and so was our landing page for selling our product as well as some web sites still under construction.

Each and every of our web sites were totally contaminated with malicious scripts. Most infected files were HTML files, but certain other files were affected too, like .htaccess, .js, .tpl and sometimes .php files. Thank heavens I had a backup of most web sites, so I could just delete and reupload them. Before I did that, I did an extensive virus scan on my hard drive of course, just to make sure that any new FTP passwords I set would not be stolen again. All this took me hours.

Unfortunately, I did not have a backup of our company web site. That’s because I have wanted to revise it anyway for months and thus considered it to be more or less temporary and not worthy of being backed up. So I had to manually remove the malicious blocks of code from hundreds of files. I finished at 3 am and went to bed around 5 am, after a final check for viruses on my hard drive and a message to my business partner and a couple of customers telling them that all viruses had been removed.

I woke up with a terrible headache next day, but was glad that everything was alright again. Or that’s what I thought… By chance I found out that a private web site of mine was also infected! How could that be? It was hosted by a free web space provider having nothing to do with our business web site! It occurred to me that I used FileZilla to manage both our business web sites and my private one… But how exactly did the attacker steal my passwords? Maybe he was sniffing around my ports on transmission of the passwords between my machine and the remote server? No! Why not? Because I haven’t used FileZilla for several months, neither for our business web sites nor for my private one. All web sites were running fine, so there was no need for FTP. So there is only one answer: The hacker must have stolen the passwords from the XML files stored by FileZilla!

Anyway, it took me another entire working day to also repair my private web site. I finished around 2 am last night, so today I also woke up with a massive headache. Meanwhile I learned that FileZilla does in fact store server passwords in a plain text file without encryption. I also learned that people have been complaining about this for years, and that the developer was refusing to fix that issue. Well, after all, FileZilla is a free software. Free software? I think that in the past 48 hours, I have more than paid for it…

I am using anti virus software and I am regularly doing scans for malware on my machine. So what else can I do to get my system “properly secured”? I am telling you this story to make you think twice. For me, the scenario of FTP passwords getting stolen from FileZilla and an attacker uploading malicious code to one or more web sites using the stolen information is not something that COULD happen. It’s something that DID happen to me, and it wreaked havoc on both my business and my private life! I had to cancel business talks, postpone unpaid bills, put customer orders on delay, sacrifice my leisure time and more. Now I hope that the issue is fixed, but I will still have some very busy days clearing the backlog that I am now facing.


This bug is reported 3 years ago. Still no fix. If your are using FileZilla FTP client, make sure you are not saving passwords.

Posted in Security

  • Ted W

    Had a similar problem with both Filezilla and Dreamweaver’s lack of password security, and the incapacity or unwillingness to remedy this, costing me countless hours troubleshooting and cleanup on my VPS accounts where every html file had been infected with spam coding. Google blocked my server’s sites as attack sites, and I had to go through a number of steps to get reviewed and get a clean bill of health. (What could be worse than a client checking his site in the browser and see the attack site warning!)

    Now, it’s clear that no one in his right mind should opt to store passwords in either Filezilla or Dreamweaver. The writer here is spot on: it’s not some paranoid what-if scenario, it’s one nasty scenario that DOES happen. I have to thank the writer for taking the time to talk about that, and point out that years later, nada’s changed.

    One workaround I’ve had to implement is to use a password utility app like KeePass to paste in passwords at the connection prompt. Tedious yes, but far less so than having to run virus checks and clean up infected files. (I’m sure there are other comparable password apps, so this is hardly a pitch for any particular one.)

    Until commonly used FTP programs like Filezilla and Dreamweaver figure out a way to address the lack of security in their password handling, one has to ignore the save “option” which is really more like an unfixed bug.