Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC

[Nicholas Knight <nknight () runawaynet com>]

m123303 () securityfocus com wrote:
> Vulnerability summary
> - ---------------------
> - - FileZilla client stores password using weak XOR "encryption"
> - - The value of the cipher key is static (it never changes) and can 
>   be found in the source code

As I'm getting rather tired of explaining to people, you will find the 
same "vulnerability" in any number of programs (KMail and KNode spring 
to mind immediately, as I've had to recover passwords from them in the 
past).

Developers don't intend these features as true security (note that the 
fact that the passwords are stored obfuscated is never advertised), but 
rather a deterrent against casual snoopers (like, say, a younger sibling 
being naughty), and reporting it isn't going to get you anything but mocked.

If you want to report something *closer* to a real vulnerability, try 
reporting the fact that FileZilla stores the information in a public 
folder instead of the user's private areas. On a multi-user system 
shared among family members, storing the data where it belongs offers 
far greater deterrent at zero cost.