When browsing the filemanager.ai website, the password is disclosed inside a Base64 encoded string.
This is also disclosed inside the browser’s history.
Example (not using real password):
Any Base64 Encoded JSON data starts with “ey”
So we can do:
echo eyJ0IjoiZnRwIiwiYyI6eyJ2IjowLCJwIjoiWU9VUl9QQVNTV09SRF9IRVJFIn19IA0K | base64 -d
Then we can connect to this account using explorer.exe like so:
and we get full access to the FTP account.
This sort of attack could work if a user got a virus on their computer which sends their browser history to a malicious host, and thus anyone on that side could easily run a RegExp to search for patterns starting with “ey”.
In my opinion I’d use some sort of temporary hash that would expire in 5 minutes.