|
|
BugTraq
FileZilla weakly-encrypted password vulnerability: advisory + PoC Sep 02 2005 01:59PM m123303 securityfocus com, "[#*at*#]" securityfocus com,richmond ac uk securityfocus com (2 replies) Re: FileZilla weakly-encrypted password vulnerability: advisory + PoC Sep 05 2005 04:57PM Nick Boyce (nick boyce gmail com) |
|
Privacy Statement |
> Vulnerability summary
> - ---------------------
> - - FileZilla client stores password using weak XOR "encryption"
> - - The value of the cipher key is static (it never changes) and can
> be found in the source code
As I'm getting rather tired of explaining to people, you will find the
same "vulnerability" in any number of programs (KMail and KNode spring
to mind immediately, as I've had to recover passwords from them in the
past).
Developers don't intend these features as true security (note that the
fact that the passwords are stored obfuscated is never advertised), but
rather a deterrent against casual snoopers (like, say, a younger sibling
being naughty), and reporting it isn't going to get you anything but mocked.
If you want to report something *closer* to a real vulnerability, try
reporting the fact that FileZilla stores the information in a public
folder instead of the user's private areas. On a multi-user system
shared among family members, storing the data where it belongs offers
far greater deterrent at zero cost.
[ reply ]