iTerm2, a populair terminal app, contained a very bad security issue. Everything you hover over was being checked if it was a clickable url. To determine if it’s a valid url, the hovered over string was being checked against DNS server. So if you hover over a password, or a secret key or whatever it sent out to the internet. Obviously this is a big problem. It’s fixed in the latest version. So if you use iTerm2 and haven’t updated it recently, be sure to do it now! The problem is fixed in version 3.1.1.
iTerm2’s leak issue was first discovered ten months ago. iTerm2’s creator initially reacted by adding an option to iTerm 3.0.13 that allowed users to disable DNS lookups. The feature remained turned on by default for new and existing installations.
Dutch developer Peter van Dijk, software engineer for PowerDNS, a supplier of open-source DNS software and DNS management service, re-reported this feature and this time around, he pointed out some of the severe privacy leaks not included in the first bug report.
“iTerm sent various things (including passwords) in plain text to my ISP’s DNS server,” van Dijk wrote flabbergasted in a bug report he filed earlier today.
This time around, George Nachman, iTerm2’s maintainer, understood the severity of the issue right away and released iTerm2 3.1.1 to fix the problem within hours. He also apologized for enabling this feature by default without analyzing possible consequences in more depth.