SecureMac, Inc.

Popular Terminal App Patches Severe Bug That Leaked Tons of Data

September 28, 2017

For power users, nothing is quite as useful in the macOS ecosystem as the Terminal app. Whether you are working on a simple project or trying to create extensively customized functionality for your machine, it opens many doors for the savvy user. Those same users sometimes find the default Terminal app to be lacking, though, and thus alternatives, like the popular iTerm2 software, have sprung up over the years. With a recently issued security patch, however, the developer of iTerm2 acknowledged that the program had been leaking all kinds …

Popular Terminal App Patches Severe Bug That Leaked Tons of Data

For power users, nothing is quite as useful in the macOS ecosystem as the Terminal app. Whether you are working on a simple project or trying to create extensively customized functionality for your machine, it opens many doors for the savvy user. Those same users sometimes find the default Terminal app to be lacking, though, and thus alternatives, like the popular iTerm2 software, have sprung up over the years. With a recently issued security patch, however, the developer of iTerm2 acknowledged that the program had been leaking all kinds of sensitive user information for nearly a year. Worse still, the issue was initially reported more than ten months ago.

What happened? The issue in question is remarkably simple, and it’s somewhat incredible it wasn’t fixed sooner. Whenever a user hovered over a piece of text in iTerm2, it would try to determine if the word in question was a valid, clickable URL. In theory, this is a useful feature for avoiding dead links and ensuring clean code. However, the methodology behind the feature was the problem: iTerm2 took whatever text the user hovered over and sent that information to a DNS server to check its validity.

In other words, anytime a user hovered over sensitive information in iTerm2, such as their password, a private API key, a username, or any other kind of data, a DNS server received that info totally “in the clear.” Because requests to DNS servers do not feature any encryption, a clever hacker could have easily intercepted all this valuable information on its way to the server. It represents a significant security hole through which a huge amount of user information flowed.

After being made aware of the undesirable functionality via a bug report, the developer initially added an option to disable the DNS lookup feature. However, it remained enabled by default. A Dutch developer who noticed that this feature could send passwords and more created a new bug report — and this time, the developer took a closer look. With an apology and a patch, iTerm2 received a critical update that closed the hole.

If you use iTerm2, be sure you update your software immediately to the latest, current version, which is 3.1.1. Overall, this incident highlights the need for developers to think carefully about the features they implement. Sometimes, what seems like a simple and innovative idea with the best intentions at heart can turn into a major security headache.

Get the latest security news and deals