from Hacker News

iTerm2 critical security release

by tjwds on 1/2/25, 10:08 PM with 438 comments

  • by Kwpolska on 1/2/25, 10:23 PM

  • by mattpavelle on 1/2/25, 10:22 PM

    > A bug in the SSH integration feature caused input and output to be logged to a file on the remote host. This file, /tmp/framer.txt, may be readable by other users on the remote host.

    Oof. This is nasty. Some folks may not have access to some machines that they've SSH'd into anymore where files like this may or may not exist.

  • by locusofself on 1/3/25, 6:21 AM

    I just want to sing some praises for iterm2. I've been using it for work and fun for many years now and will continue to use it and send a donation again as I did once before.

  • by kelnos on 1/2/25, 11:28 PM

    > I deeply regret this mistake and will take steps to ensure it never happens again.

    I always get a little... sigh-y when I read statements like these. What steps? I'm not even sure what I would do to ensure something like that wouldn't happen again. Build some automated tooling to run the software that exercises every single feature it has, and capture system calls to ensure that it never opens or writes to files? That sounds like a very difficult thing to do (to the point that I wouldn't even try, especially for a GUI app), but anything less doesn't feel like you can ensure it won't happen again.

  • by jcalx on 1/2/25, 10:37 PM

    I know it's largely personal preference but are there any strongly compelling reasons to use iTerm2 over stock Terminal on macOS in 2025? Despite recommendations, I've been wary of security and privacy issues much like this SSH bug.

  • by teruakohatu on 1/3/25, 1:56 AM

    I feel deeply for the developer who develops iTerm for relatively very little money, and already took a lot of criticism for the AI integration, far more than was warranted.

    I am also also deeply concerned about my use of iTerm now.

    I access HPC environments where I may have access for a short period of time. I am expected to take responsibility to clear out my data after use and don't expect there to be any data leakage. If I had been manipulating PII research data in the past year and using iTerm's SSH integration I would be in a bit of a bind and have to send some really embarrassing emails asking sysadmins to see if these logs exist, and if they belong to me, followed by disclosing data had been leaked.

    I use some of the more advanced features but at this point wonder if I should be using any features beyond the basic, and then I may as well be using another terminal. I haven't found a cross-platform editor that feels as native on MacOS as iTerm, ghostty included.

  • by xucheng on 1/3/25, 2:52 AM

    Many years ago, I reported an issue where iTerm2 leaks sensitive search history to preference files [1]. The issue was quickly fixed. But until this day, I can still find people unintentionally leak their search history in public dotfiles repos [2].

    [1]: https://gitlab.com/gnachman/iterm2/-/issues/8491

    [2]: https://github.com/search?q=NoSyncSearchHistory+path%3A*.pli...

  • by johnsonalpha on 1/3/25, 3:36 AM

    I’m a bit confused by the suggestion to "Just don’t use iTerm2." The reality is that this type of issue could happen with any project, and switching tools doesn’t provide meaningful protection. If anything, incidents like this often lead to stronger security practices. It’s like the old joke about firing an engineer after a mistake, and the manager responding, "Why would I fire them? They’ve just learned a lesson they won’t forget." Based on iTerm2’s track record, it doesn’t seem like they’ve had frequent critical security issues, and I doubt they’ll repeat this mistake. If they do, then it’s fair to reassess.

    As for the MacOS Terminal app, it might seem like a lower-risk option because it’s simpler and updates less frequently. However, being closed-source makes it impossible to audit, which brings its own risks. Ultimately, every tool has tradeoffs, and choosing the right one depends on balancing your needs with the potential risks.

  • by jey on 1/2/25, 10:22 PM

    iTerm2 increasingly seems too complex and bloated to me, with too many security issues. I haven't shopped for a new terminal emulator on macOS in a long time, but perhaps it's now time.

    I should also get around to switching to tmux, now that GNU Screen seems to be stagnant...

  • by loeg on 1/3/25, 1:18 AM

    This was only for the SSH integration, not if you just ran "ssh" in iTerm? I don't see these /tmp/framer.txt files on any of the hosts I sshed to (plain ssh).

  • by rswail on 1/3/25, 7:23 AM

    This thread reminded me to make my annual donation to iTerm2's developer, who does a pretty amazing job keeping iTerm MacOS compliant and up to date.

  • by SamuelAdams on 1/2/25, 11:35 PM

    > Delete /tmp/framer.txt on affected hosts.

    Isn’t the correct fix to assume compromise and rotate all SSH keys? I imagine there will be scripts created very quickly to grab this file from any servers, so even if it is deleted soon there is no guarantee someone else has not read it.

  • by wk_end on 1/2/25, 10:21 PM

    > A bug in the SSH integration feature caused input and output to be logged to a file on the remote host. This file, /tmp/framer.txt, may be readable by other users on the remote host.

    Curious about how this happens. What does "framer" mean, here?

  • by isatty on 1/2/25, 11:39 PM

    On the bright side this made me realize the stock terminal app has improved. I do use iTerm2 for its better rendering of text and color (and easier configuration of those things) but I don't really make use of any other features. Time to switch, perhaps.

  • by egorfine on 1/3/25, 12:07 PM

    iTerm2 is the app I spend the most time for like a decade or so.

    I feel bad for the developer. This is embarrassing and it totally could and probably will at some point happen to the best of us.

    So I have immediately donated and subscribed to monthly donations and I encourage everyone to do so. There should be zero doubt that the author deserves our support.

  • by ryanmccullagh on 1/3/25, 12:40 AM

    Why does a terminal need an SSH integration. Answer: it doesn’t and you shouldn’t use this because it is unsafe.

  • by paxys on 1/2/25, 10:48 PM

    That sound you hear is IT admins worldwide scrambling to delete /tmp/framer.txt from all their servers.

  • by MiscIdeaMaker99 on 1/2/25, 10:36 PM

    I would love to know more about how this got discovered and figured out. I can imagine some sysadmin pull their hair out, thinking they've got some infected system, but then find out it was some bug with their terminal emulator.

  • by soheil on 1/3/25, 8:49 AM

    I would advice anyone using iTerm not to willy-nilly switch their terminal to one recommended by a random user here.

    Terminals can have a huge attack surface and many "open-source" ones are maintained by less than trustworthy developers who very easily could inject a backdoor.

    Sticking with time-proven projects like iTerm provides the advantage of added trust, security and basic common sense.

    It also seems like a huge coincidence that there are a lot of green accounts here "highly" recommending all sorts of random terminal alternatives.

  • by NelsonMinar on 1/2/25, 10:59 PM

    How does a bug like this last for so many months without being noticed? Did no one notice a weird file in /tmp and wonder where it came from? The one with their ssh session history in it?

  • by rswail on 1/3/25, 7:10 AM

    I've used iTerm2 for as long as I've known about it, which would be maybe 10 years?

    I don't use much of the various SSH/mux features, 'cos I don't use multiple buffers, just multiple tabs.

    I like the scrollback and the footer and the integration with the shell, don;t care about scrolling speed very much, and it's sort of the "ain't broke, so why change".

    I'll take a look at ghostty, but not sure it gives me much.

    As for this security issue, it's a bug, the author found it, fixed it, announced what it was, and how to ameliorate the effects of the issue.

    He did that in a very reasonable timeframe and has been entirely open about it.

    The pile-on of moralists and what appear to be purists (and possibly early stage devs if they think process is the answer) is sorta pathetic.

    This entire thread is more twitter/reddit than what I've come to expect on HN.

  • by eximius on 1/2/25, 11:54 PM

    hah! Clicking "Remind Me Later" for the update prompts works again!

  • by lionkor on 1/3/25, 9:22 AM

    Not sure what the replies here are on about. This is NOT a "whoopsie, can happen to any project" bug. There was code in the project that EXPLICITLY leaked stuff into the remote host. Am I missing something?

    Not only would switching to a different project with more eyes on it probably never do this, it would also probably never let that through PR reviews.

  • by hbbio on 1/3/25, 3:24 AM

    I always preferred alacritty which is faster and hopefully safer.

    Tha macOS part uses the rust `objc2` crates which I find high quality and the codebase is a joy to read.

  • by decasia on 1/3/25, 1:10 AM

    I'm confused by the comments saying "Just don't use iTerm2." The same class of issue can occur for any other project, and switching is not a very effective defense against it.

    If anything, having an embarrassing issue like this is probably going to improve the iTerm2 project's security posture in the medium term. It's like that joke about firing the engineer who caused the incident, and the manager who retorts, "Why would I fire them? They just learned the hard way never to make this mistake again." (I'm paraphrasing.) I don't think that iTerm2 has had a notably high rate of critical security issues, and I suspect they won't make this class of mistake twice. (And if they do - then I will re-evaluate.)

    I suppose intuitively I would think that using the default MacOS Terminal app is a bit lower-risk than using iTerm2 or any other open source terminal emulator, as Terminal is a rather sparse piece of Apple-provided software with a low pace of change. But it's also closed source and impossible to audit, so there are tradeoffs there too.

  • by coolgoose on 1/3/25, 6:22 AM

    Looking at the replies here, I am not even sure how to react, it seems this community overall is going into a sad direction that just blames instead of trying to think of solutions.

    Most of them are just entitled and aggressive for absolutely no reason.

    It's perfectly fine to want to switch, or try something else, but to think other projects couldn't have issues is just naive to say it gently.

  • by mrichman on 1/3/25, 1:42 AM

    Glad I switched to Ghostty this week.

  • by muppetman on 1/3/25, 9:38 AM

    I thought we were all losing our mind over Ghostty anyway and iterm2 wasn't cool anymore because it's, apparently, slow?

  • by st3fan on 1/2/25, 10:40 PM

    I'm done with iTerm2.

    This was a great terminal when it was basically Terminal.app + missing features but over the past years it has grown into the proveribal "Kitchen Sink" and now does SO MANY things that I just don't care about.

    iTerm2 has become a huge app with many many knobs and levers and all kinds of functionality and integrations. I am not surprised at all that (security) bugs are found. More code, features, integrations means more potential for security issues.

    I switched to Ghostty, yes which had a security issue last week!, but at least it is a pretty minimal app with so far no intent to meet iTerm2 in terms of functionality.