Software ‘Feature’ Sent Plain-Text Passwords Across The Internet

The developer of a popular Mac terminal emulator has released a fix for a feature that inadvertently released passwords and other sensitive data onto the internet, in an incident that highlights the complexity of spotting security weaknesses in commonly used programs.

The problem affected iTerm2, a widely used terminal emulator designed to take the place of macOS’ built-in Terminal, adding features such as support for common keyboard shortcuts.

Plain-text passwords

One of the features, introduced in v3.0.0 in July 2016, turned URLs into clickable links. In order to determine whether they were working links or not, when the Cmd key was pressed iTerm2 would perform a DNS lookup on the text that was under the cursor at the time, which involved sending that text across the internet unencrypted.

The trouble was that all kinds of text might happen to be under the user’s cursor when the Cmd key was pressed, particularly since the key is used for common actions such as copy-and-paste, as iTerm2 user Peter van Dijk reported.

“In the act of selecting text and Cmd-C’ing it to Copy, it is very easy to trigger this for passwords,” he wrote in a bug report. “Having this feature on by default is a terrible security and privacy risk.”

Van Dijk said he first noticed the issue when he monitored his own DNS traffic and found lookups that “made no sense”.

“iTerm sent various things (including passwords) in plain text to my ISP’s DNS server,” he wrote.

iTerm2’s developer, George Nachman, initially released v3.0.13, which allowed users to turn the feature off, but the issue remained active for those using the older version or who left the program with its default settings.

Van Dijk and others urged Nachman to turn the DNS lookup feature off by default, with one pointing out that security researchers, for instance, might not want URLs to be accidentally sent out in the form of DNS queries.

Security risk

“Often hackers/attackers monitor their attacking infrastructure for such investigators and these types of queries coming from a target’s network,” one user wrote.

Last week Nachman finally published another update, v3.1.1, which disables DNS lookups entirely.

He admitted not having initially understood the security impact of the issue.

“Security almost always trades off against convenience,” Nachman wrote in a bug report response. “My threshold for the harm-benefit analysis has moved as a result of this issue, and I would not make the same choice again. There’s nothing like brutal experience to give you clarity.”

Computer security firm Sophos Labs advised any users still running v3.0.0 to update to v3.1.1 or later “as soon as possible”.

What do you know about the history of mobile messaging? Find out with our quiz!