When you first install WinSCP, it offers you the convenience of pulling your saved FileZilla/PuTTY credentials over, so you can hit the ground running. It really is convenient.
But it worried me. How did WinSCP find that info so easily? It was instantaneous. Turns out, really easily.
I started by looking through the registry, just by searching for my domain and seeing what came up.
There it is, WinSCP’s storage of saved credentials. This is what it compiled for itself, to save for later. I took what was in the ‘Password’ key, and had a look at it. It looked like hex, so I dropped it into HxD for some quick analysis.
Not much to offer. Obviously, I’ve obscured some information in case you figure out how to decode this.
Searching for my domain in my registry didn’t yield much outside of WinSCP, actually. Turns out FileZilla doesn’t store that information there. It’s actually a lot easier to find.
There you have it. 11 lines from the bottom, you have your domain and username in plain text, and your password encoded in base64. No wonder it was so easy for WinSCP to find it. All you would need to do is create a little tiny program to find that file, grab that string, convert it, and send it back to you. Disguise it as a .docx, send it to a sysadmin, and take over the servers. Hopefully they’ve got more in place to protect themselves than that.
I guess it’s a little better than how they stored credentials back in 2008.