1. 64
  1.  

  2. 12

    Yikes.

    You can disable this by going to Preferences > Advanced > Search for “DNS” and changing the configuration value to No. I restarted iTerm too but I’m not sure if that is required.

    Update: You can also disable it by upgrading to the latest version of iTerm.

    1. 11

      It’s egregious judgement errors like this that make me wonder if the appropriate course of action is not to apply a patch, change settings, etc. but instead just uninstall and stop using it entirely. Who knows what else might be lurking in there?

      1. 17

        This seems a bit harsh.

        This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

        Also, we should give the iTerm team props for releasing a patch so quickly.

        EDIT: It’s also nice to see someone owning up to their mistake: https://gitlab.com/gnachman/iterm2/wikis/dnslookupissue

        1. 7

          This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

          It’s a nice feature, but it’d work just as well if it only checked a regex. Web browsers don’t even disable invalid links, so it’s a stretch to expect a terminal to do so.

          I do agree it’s a bit harsh to completely uninstall just over this issue, though.

          1. 10

            This seems a bit harsh.

            I don’t think so: if you need a bug to grasp why leaking DNS queries is bad, what other insane privacy gaps did you build in to your software?

            This feature allows iTerm to check whether links are clickable, which is a really cool feature IMO.

            • build a list of clickable URIs in code
            • let the user specify URI prefixes
            • … or a regex!
            • … or even better push it to my plumber daemon!

            There are plenty of ways to make clickable links without adding a massive privacy vulnerability.

            1. 9

              Sure! And @gnachman owned up to the fact that he didn’t think this through.

              My concern is with the people attacking iTerm and threatening to uninstall because the guy made a mistake. I have no doubt he works hard on iTerm and his response was both fast and transparent. I’m sure he’s learned a good lesson and this won’t happen again. If anything, I have more respect for him than I did before.

              1. 25

                It’s kind of gross that @gnachman has a long history of steadily improving iTerm and there are cries of “uninstall!” when he makes a single mistake that he fesses up to and fixes quickly. Seriously, why make free/OSS stuff if people are going to be that uncharitable about it?

                1. 2

                  Totally gross, indeed. Only took at least 3 bug reports (the other two are directly referenced by the OP of the new one), each detailing the very same security issue from a different angle (but each one is, in fact, security-related), over a period of 2 years (each report came roughly 1 year apart of the other one).

                  But, of course, the alternative facts is that once the word spread out to Hacker News / Lobsters / whatnot, the issue was “fixed” very quickly, so, to even entertain the idea that such software should be uninstalled due to this, is entirely unjustified and gross!

                  P.S. Did you know he has a Patreon, too, as per HN? If you do appreciate his work all that much, maybe instead of arguing against the solid security concerns that people with knowledge of the matter do have, you should instead be setting up your recurring donation?

                  1. 1

                    I’m not quite sure where to start with this response. I suspect we are talking past each other, or not talking about the same thing. I’m advocating for a little grace here. The implementation was bad, period. He should’ve fixed it earlier. But even with both concerns I can’t get too worked up about it. It’s funny because I work in infosec and I despise software bloat because it usually produces stupid bugs like this.

                    Anyway, thanks for the thoughts.

                2. 8

                  I quite like iTerm2, will continue to use iTerm2, and I’m grateful for the continued innovation and effort in iTerm2.

                  A concern I have is the issue has been reported twice over the past few years, both raising concerns around privacy and security:

                  only after the high level of attention paid to the bug on HN and Lobsters was the severity of the issue considered.

                  1. 2

                    I agree that this is a problem, but uninstalling isn’t the solution.

                    A better approach would be a post-mortem. Any reasonable engineering company would do this after finding a security issue in their software has been reported multiple times. Why not do the same in OSS?

                    I’ve opened this issue to try to get this started: https://gitlab.com/gnachman/iterm2/issues/6068

              2. 1

                Good looks owning up to it. I’ve been happy with iTerm2 for some time now, and this issue won’t change that, now that they have responded quickly and appropriately (in my mind).

              3. 1

                I uninstalled it after this. Apple has been improving terminal a lot in recent years. It now supports many of the features I sought in iTerm, like ligature rendering.

                I appreciate iTerm a lot, but really obvious security mistakes (correctly) lower people’s confidence in the security of the product in other respects.

              4. 3

                George showed up in the HN comments to apologize: https://news.ycombinator.com/item?id=15286956

                Given the level of concern, I will change the default and release a new version right away.

                1. 3

                  This is one of the reasons why I use a rather simple terminal (st - https://st.suckless.org/) for daily use. The code size with 4k LoC is still something you can have a look at.

                  1. 2

                    st doesn’t even have the ability to scroll. Comparing it to iTerm2 which has a ton of functionality is a joke. People are using iTerm2 for that extra functionality or else they’d just use Terminal.app.

                    1. 1

                      Just use that patch: https://st.suckless.org/patches/scrollback/

                      However, you’re missing the point. This discussion is not about “ton of functionality”, it is about security and privacy. The bug complains about a privacy issue. And if I want to have a terminal that respects both I need one which can be easily reviewed. I suspect st is more easy to review than iTerm2…

                  2. 4

                    A patch has been released as v3.1.1. It’s available here (the home page has not been updated at the time of posting) and through the iTerm “Check for Updates” feature.

                    1. 1

                      If you already know about this vulnerability, a patch is kinda pointless — presumably, you can already disable the setting as-is.

                      But a better option seems to be uninstalling such a PoS of a liability altogether — who knows what other great security decisions were taken? The fact that folks have pointed out about this twice before, including in a security setting (Issue 5303 from 2016-11-02 — 10 months ago), and noone paid any attention to the big-picture implications, leaves little confidence in the project being capable of making sound architecture decisions.

                      1. 2

                        I’m torn, primarily because:

                        A) I wouldn’t personally be affected - never put sensitive material onscreen to be seen by passers-by (it stays in files or occasionally is on the clipboard for a second before getting cleared) B) it’s a vastly better terminal emulator than the others I’ve tried. They really nailed the ‘useful’ bit.

                        On the other hand I agree that this implies a pretty serious lack of thought on the developers part, and I don’t think I want to risk it.