Thomas Delrue on 20 Sep 2017 11:22:12 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OT: iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests

On Wednesday, September 20, 2017 11:16:31 AM EDT JP Vossen wrote:
>OT but lots of folks on the list use Macs.  (Bad, no bacon!)
>ver-in-your-terminal-via-dns-requests/ ...
>Version 3.1.1 disables a feature that was added in iTerm 3.0.0 and was
>turned on by default. This feature is found under iTerm2's "Perform DNS
>lookups to check if URLs are valid?" setting.
>Introduced in version 3.0.0, this feature would watch the user's mouse
>when hovering any content inside iTerm2's terminal. When the mouse would
>stop over a word, iTerm2 would attempt to determine if that word was a
>valid URL and highlight the term as a clickable link.

hahahah... bwaaahaahaaa... oh wow...

>To avoid creating dead links by using inaccurate string pattern matching
>algorithms, the feature would make a DNS request instead, and determine
>if that domain actually existed.

WHY, why would you farm this out to the cloud (i.e. "someone else's 
computer")? We have more processing power in our pocket than the entire world 
had available in the 70's and URL parsing is farmed out to the cloud? :|

Seriously though; it must have gone something like this:
- Dev A: We gotta underline links, but I don't know how to do this.
- Dev B: Use the cloud, man, the cloud is where it's at these days. Just see 
if the domain name resolves by firing off a DNS request and then if it isn't 
NXDOMAIN, you're golden. 
- Bearded Dev C: But guys, have you thought this through...? Have you 
- Dev B: Dude, don't be, like, totally a bore man... Cloud, didn't you hear? 
CLOUD! You old farts are always trying to keep us yung'ens back.

... and lo...

>According to the app's official website, iTerm2 3.0.0 was released on
>July 4, 2016, indicating that scores of users leaked sensitive content
>to DNS servers without their knowledge for more than a year.

They'll spin this as a "but you could turn this off, so it really is the 
user's fault", mark my words!

I weep... I weep for humanity...

Attachment: signature.asc
Description: This is a digitally signed message part.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --