A basic tenet of open-source software security has long been the idea that since the code is open, anyone can look inside to see if there is something that shouldn’t be there.
It’s a truth that does work and many of us who use open-source software daily accept it as such. That’s why some recent news about a Trojan in a popular File Transfer Protocol (FTP) program is a potential cause for concern.
The malware versions of FileZilla are corrupted versions of the software that steal users’ credentials and could also be employed for spreading more malware. “Attackers also can download whole Web page source code containing database log-in, payment system, customer private information, etc.,” Avast stated in a blog post.
What’s important to note here, though, is the fact that it is not the official version of FileZilla that is at risk. Bogus versions of FileZilla are at risk.
Do a simple search on Google for FileZilla, and you’ll find several sites with downloads for the program. Open-source software, by definition, is freely redistributable, so having FileZilla available from multiple locations is not a surprise or anything new.
It’s a situation that the FileZilla project is also well aware of at this point.
“While this instance is one of the largest to date, there have been many cases of modified versions spreading malware hosted on third-party Websites for over a decade,” the FileZilla site states. “We do not condone these actions and are taking measures to get the known offenders removed. Note that we cannot, in general, prevent tainted versions on third-party Websites or prove their authenticity, especially since the FileZilla Project promotes beneficial redistribution and modifications of FileZilla in the spirit of free open-source software and the GNU General Public License.”
The lesson and the message here is simple, but very, very important. When consuming or downloading open-source software, make sure that you’re getting it from the legitimate source.
For FileZilla, that means getting the FTP program directly from the project page itself.
The larger question here is whether the same type of issue could potentially exist with other open-source software. It can, and that is why it’s important that users only download software from the “right” place. In my opinion, the “right” place is the actual project page of a given open-source application. Linux users should also generally feel safe getting applications for their respective Linux distribution software repositories, as well, since those have generally just been packaged for specific distributions from the upstream project.
So, the next time you look to download an open-source app, be sure to make sure you’re getting it from a source that you can trust.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.