SecureMac, Inc.

Computer security news. Just for Macs.

Get the latest computer security news for Macs and be the first to be informed about critical updates. Industry news, security events and all you need right at your fingertips. Malware threats change daily, so keep up to date on the latest developments to help ensure your privacy and protection. You can never be too safe.

Popular Terminal App Patches Severe Bug That Leaked Tons of Data

Posted on September 28, 2017

For power users, nothing is quite as useful in the macOS ecosystem as the Terminal app. Whether you are working on a simple project or trying to create extensively customized functionality for your machine, it opens many doors for the savvy user. Those same users sometimes find the default Terminal app to be lacking, though, and thus alternatives, like the popular iTerm2 software, have sprung up over the years. With a recently issued security patch, however, the developer of iTerm2 acknowledged that the program had been leaking all kinds of sensitive user information for nearly a year. Worse still, the issue was initially reported more than ten months ago.

What happened? The issue in question is remarkably simple, and it’s somewhat incredible it wasn’t fixed sooner. Whenever a user hovered over a piece of text in iTerm2, it would try to determine if the word in question was a valid, clickable URL. In theory, this is a useful feature for avoiding dead links and ensuring clean code. However, the methodology behind the feature was the problem: iTerm2 took whatever text the user hovered over and sent that information to a DNS server to check its validity.

In other words, anytime a user hovered over sensitive information in iTerm2, such as their password, a private API key, a username, or any other kind of data, a DNS server received that info totally “in the clear.” Because requests to DNS servers do not feature any encryption, a clever hacker could have easily intercepted all this valuable information on its way to the server. It represents a significant security hole through which a huge amount of user information flowed.

After being made aware of the undesirable functionality via a bug report, the developer initially added an option to disable the DNS lookup feature. However, it remained enabled by default. A Dutch developer who noticed that this feature could send passwords and more created a new bug report — and this time, the developer took a closer look. With an apology and a patch, iTerm2 received a critical update that closed the hole.

If you use iTerm2, be sure you update your software immediately to the latest, current version, which is 3.1.1. Overall, this incident highlights the need for developers to think carefully about the features they implement. Sometimes, what seems like a simple and innovative idea with the best intentions at heart can turn into a major security headache.

Join our mailing list for the latest security news and deals