![]() "Domains should not be queried through DNS to determine whether they are highlighted in iTerm," said a user named ewaher, the user who first spotted this bug's behavior. "Your privacy will always be my highest priority." Security investigations also affectedīesides possibly leaking sensitive content such as passwords and API keys, there's also another negative side to this feature. I apologize for the oversight and promise to be more careful in the future," Nachman wrote. ![]() "I don't have an excuse: I just didn't give this issue enough thought. He also apologized for enabling this feature by default without analyzing possible consequences in more depth. This time around, George Nachman, iTerm2's maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. "iTerm sent various things (including passwords) in plain text to my ISP's DNS server," van Dijk wrote flabbergasted in a bug report he filed earlier today. The feature remained turned on by default for new and existing installations.ĭutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report. iTerm2's creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. ITerm2's leak issue was first discovered ten months ago. This behavior is a huge privacy issue, as users hovering their mouse over passwords, API keys, usernames, or other sensitive content, would unknowingly leak this information via DNS requests.ĭNS requests are cleartext communications, meaning anyone capable of intercepting these requests would have had access to data a user was hovering in his iTerm terminal.Īccording to the app's official website, iTerm2 3.0.0 was released on July 4, 2016, indicating that scores of users leaked sensitive content to DNS servers without their knowledge for more than a year. ![]() iTerm accidentally sent passwords, API keys to DNS servers To avoid creating dead links by using inaccurate string pattern matching algorithms, the feature would make a DNS request instead, and determine if that domain actually existed. When the mouse would stop over a word, iTerm2 would attempt to determine if that word was a valid URL and highlight the term as a clickable link. Introduced in version 3.0.0, this feature would watch the user's mouse when hovering any content inside iTerm2's terminal. This feature is found under iTerm2's "Perform DNS lookups to check if URLs are valid?" setting. Version 3.1.1 disables a feature that was added in iTerm 3.0.0 and was turned on by default. ITerm2, a popular Mac application that comes as a replacement for Apple’s official Terminal app, just received a security fix minutes ago for a severe security issue that leaked terminal content via DNS requests.
0 Comments
Leave a Reply. |