This wasn't an accident, it deliberately looked up domain looking string against a DNS server. Don't patronize me, going by your twitter picture, I've been at a command shell longer than you've been alive, I damn well know the difference. I also know that doing DNS lookups (the the user's chosen DNS server, rather than some secret one) on domain-name looking data isn't evil or completely unreasonable. He should have made it clear and opt-in rather than opt-out as it was, but by no means was this a vulnerability. If the user can't trust their domain server for domain-like data, they shouldn't use that server.
> What happened: iTerm sent various things (including passwords) in plain text to my ISP's DNS server
iTerm was accidentally transmitting passwords in plain text via the network.
I'm pretty sure transmitting passwords in plain text isn't "working as intended".
Sure, you can go blame the user for not knowing that iTerm makes DNS queries when you hold down the command key.
But if you want to make secure software, you can't just tell the user it's their fault. You need to make sure that accidentally disclosing private information is not something that easily happens.
You're purposefully putting intent on software. It didn't send passwords, it sent strings that looked like a domain to a regex. It did not send a message to a DNS server "Hey DNS server, this is a password!" The user happened to want to use that string for a password.
If you leak user data accidentally, saying “that wasn’t my intent” doesn’t help much.
The important thing that you don’t understand is that there is a difference between a search field / url box, and a Terminal.
I absolutely expect my browser to make DNS queries for stuff I paste into the URL box.
I don’t expect my terminal emulator to make DNS queries for random strings displayed on screen that happen to match a regex.