The developer behind the popular iTerm2 software, an alternative to Apple’s Terminal emulator has posted an urgent security fix after a user noticed it could inadvertently leak sensitive data when attempting to resolve URLs.
In a case underlining how well-intentioned plans can go badly awry, v3.0.0 of the application, launched in July 2016, included a helpful feature that made URLs into clickable links.
When the Cmd key was pressed the application tried to determine if the text under the cursor looked like a URL. If the text passed a few rudimentary tests the application performed a DNS lookup, sending the text out into the ether, unencrypted.
Of course not everything under the cursor was a URL.
iTerm2 would happily perform DNS lookups on anything that passed its tests, including sensitive data such as passwords or private keys. The feature was also easy to trigger accidentally too, wrote developer Peter van Dijk, who first researched the problem:
In the act of selecting text and Cmd-C’ing it to Copy, it is very easy to trigger this for passwords.
The developer’s response was to release a revised version, v3.0.13, which allowed users to turn the feature off. Except that the issue would have remained live for anyone who didn’t update their software, or who left the application in its default state.
The vulnerability also had a second, less obvious consequence, for security researchers, explained another user:
Domains should not be queried through DNS to determine whether they are highlighted in iTerm. The current behavior can compromise a security analyst or incident-responders investigation by querying a URL unintentionally while in iTerm.
Often hackers/attackers monitor their attacking infrastructure for such investigators and these types of queries coming from a target’s network.
Last week, months on from the original complaint and under pressure from some users, iTerm2 was updated to v3.1.1, which rectifies the problem by completely disabling DNS lookups.
In fairness to iTerm2 developer George Nachman, checking that URLs actually work before allowing users to click on them would have looked like a user-friendly feature. The whole point of turning to an alternative to the macOS terminal is to make life slightly easier in myriad small ways after all – which the application achieves.
Admirably, Nachman has published his own short post-mortem of how the original problem occurred and why he overlooked fixing it when it was reported last year.
I don’t have an excuse: I just didn’t give this issue enough thought. I apologize for the oversight and promise to be more careful in the future. Your privacy will always be my highest priority.
The application has since received another tweak, taking it to v3.1.2. Anyone running v3.0.0 is advised to update to v3.1.1 or later as soon as possible.
Bryan
Many props to George Nachman for acknowledging the importance of security. Irrespective of whether employed or contracted, they (devs) are typically motivated by feature requests and user-friendliness–both of which complicate (or even conflict with) good security.
To remove a “nifty” feature in the name of protecting the users is a rare occasion indeed, and it could cost him revenue in users who don’t understand the “why” and only notice that trick they liked is gone. While we security zealots will applaud him we’re still in the minority and might not collectively be able to make up that gap.
Admitting an oversight with humility is badass, and George is learning a lot quicker than Adobe. Makes me want to buy his software.
Mark Stockley
100%
He had me at “I don’t have an excuse…”.