The original address: www.bleepingcomputer.com/news/securi…

ITerm2, a popular Mac application that serves as an alternative to Apple’s official terminal application, just received a security fix a few minutes ago for a serious security problem with leaking terminal content via DNS requests.

Version 3.1.1 disables functionality added in iTerm 3.0.0, which is enabled by default. This functionality can be found in iTerm2’s “Perform a DNS lookup to see if the URL is valid.” Settings.

Introduced in version 3.0.0, this feature will view the user’s mouse when hovering over anything in the iTerm2 terminal. When the mouse stops a word, iTerm2 tries to determine whether the word is a valid URL and highlights the term as a clickable link.

To avoid creating dead links by using inaccurate string pattern matching algorithms, the feature instead uses DNS requests and determines if the domain actually exists.

ITerm accidentally sends the password, API key, to the DNS server

This behavior is a huge privacy issue, as users hover over passwords, API keys, usernames, or other sensitive content and inadvertently reveal this information via DNS requests.

DNS requests are plaintext communications, meaning that any user who can intercept them can access the data that the user hovers over in his iTerm terminal.

ITerm2 3.0.0 was released on July 4, 2016, according to the app’s official website, indicating that many users had unwittingly leaked sensitive content to DNS servers for more than a year.

ITerm2 maintainer apologizes

The iTerm2 leak was first discovered ten months ago. ITerm2’s creators initially added an option to iTerm 3.0.13 to allow users to disable DNS lookups. This feature is still enabled by default for new features and existing installations.

Dutch developer Peter van Dijk, a software engineer at open source DNS software and DNS management service provider PowerDNS, has rereported this feature, and this time he notes that the first bug report did not contain some serious privacy leaks.

“ITerm sends various things in plain text (including passwords) to my ISP’s DNS server,” van Dijk wrote in an error report filed earlier today.

This time, iTerm2’s maintainer, George Nachman, immediately understood the seriousness of the problem and released iTerm2 3.1.1 to fix it. He also apologetically enables this feature by default, without a deeper analysis of the possible consequences.

“I have no excuses: I just didn’t think about it enough, and I apologize for that and promise to be more careful in the future,” Nachman wrote. “Your privacy will always be my highest priority.”

Safety investigations have also been affected

In addition to potentially revealing sensitive content, such as passwords and API keys, there is another negative feature.

A user named Ewaher first noticed the behavior of the bug, and users should not query domain names through DNS to determine if they are highlighted in iTerm.

He added: “The current behavior could compromise the investigation of security analysts or incident responders by inadvertently querying urls in iTerm.” Hackers/attackers typically monitor the attack infrastructure of these investigators as well as these types of queries from the target network. “

According to the iTerm2 change log, version 3.1.1 “includes a security patch to disable unnecessary DNS requests that could expose user data.

Using versions of iTerm between 3.0.0 and 3.0.12, it is recommended that users upgrade to at least version 3.0.13, where they can do this by disabling DNS lookups first ⋙ advanced ⋙ semantic history and flipping “Perform DNS lookups to check if urls are valid? “Option number.