iTerm2, a popular Mac application that comes as a replacement for Apple’s official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests.
Version 3.1.1 disables a feature that was added in iTerm 3.0.0 and was turned on by default. This feature is found under iTerm2's "Perform DNS lookups to check if URLs are valid?" setting.
Introduced in version 3.0.0, this feature would watch the user's mouse when hovering any content inside iTerm2's terminal. When the mouse would stop over a word, iTerm2 would attempt to determine if that word was a valid URL and highlight the term as a clickable link.
To avoid creating dead links by using inaccurate string pattern matching algorithms, the feature would make a DNS request instead, and determine if that domain actually existed.
iTerm accidentally sent passwords, API keys to DNS servers
This behavior is a huge privacy issue, as users hovering their mouse over passwords, API keys, usernames, or other sensitive content, would unknowingly leak this information via DNS requests.
DNS requests are cleartext communications, meaning anyone capable of intercepting these requests would have had access to data a user was hovering in his iTerm terminal.
According to the app's official website, iTerm2 3.0.0 was released on July 4, 2016, indicating that scores of users leaked sensitive content to DNS servers without their knowledge for more than a year.
iTerm2 maintainer apologize
iTerm2's leak issue was first discovered ten months ago. iTerm2's creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. The feature remained turned on by default for new and existing installations.
Dutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report.
"iTerm sent various things (including passwords) in plain text to my ISP's DNS server," van Dijk wrote flabbergasted in a bug report he filed earlier today.
This time around, George Nachman, iTerm2's maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. He also apologized for enabling this feature by default without analyzing possible consequences in more depth.
"I don't have an excuse: I just didn't give this issue enough thought. I apologize for the oversight and promise to be more careful in the future," Nachman wrote. "Your privacy will always be my highest priority."
Security investigations also affected
Besides possibly leaking sensitive content such as passwords and API keys, there's also another negative side to this feature.
"Domains should not be queried through DNS to determine whether they are highlighted in iTerm," said a user named ewaher, the user who first spotted this bug's behavior.
"The current behavior can compromise a security analyst or incident responders investigation by querying a URL unintentionally while in iTerm," he added. "Often hackers/attackers monitor their attacking infrastructure for such investigators and these types of queries coming from a target's network."
According to the iTerm2 changelog, version 3.1.1 "includes a security patch to disable undesirable DNS requests that could leak user data."
Users using versions of iTerm between 3.0.0 and 3.0.12 are advised to update to at least version 3.0.13, where they can disable DNS lookups by going to Preferences ⋙ Advanced ⋙ Semantic History and flipping the "Perform DNS lookups to check if URLs are valid?" option to No.
Comments
rhasce - 6 years ago
Wow that is nuts
Occasional - 6 years ago
https://www.merriam-webster.com/dictionary/default
has "1: failure to do something required by duty or law :neglect " as it's first entry.
Of course, in the context of computer applications and use, we usually take the meaning: preset or preselected option. Yet, time and again, in these security and privacy concern reports, it's the first meaning that's most applicable.
Not only do preset options, seemingly for the convenience of the user, too often turn out to be bad news; there's also a preset mindset on the part of vendors and developers to focus on features and functionality, rather than starting with the physician's creed: Do no harm.
Harming the user is not the intent of most; but isn't there now also an obligation to examine the potential for misuse, unintentional or deliberate, before offering your application to the public? That's not asking for omniscience, just a good faith effort to do no harm. So, consider the first meaning of "default", before you apply the second.
besam - 6 years ago
Great article and really clear explanation!
Just a note that not all users of iTerm are male as this sentence suggests - "had access to data a user was hovering in his iTerm terminal". ;)