I've been using iTerm daily for something like a decade at this point and I'm struggling to think of any examples of this string of extremely bad vulns. There's this one, which is specific to SSH integration. There was CVE-2024-38396, which is the window title escape sequences I was talking about above.
A vuln every 7-8 years is "a string of unique and extremely bad vulns"?
I use iTerm2, mostly because that's what I'm used to: I installed it on my first Mac years ago when Terminal.app was really bad. I'm willing to switch to another terminal, but I don't see yet how iTerm2 is so much worse than the competition security-wise.
(I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years.)
Point being: it’s not hard to see what I’m talking about if you look up previous vulnerabilities in iTerm2, particularly around its sophisticated integration features. (I suppose I talk about this enough that it might be worth compiling all the history I’m aware of somewhere, I don’t want to sound like I’m just making this up)
> I also don't understand the general animosity towards an opensource project with one developer doing all the work for 15 years
I have nothing against George Nachman and iTerm2 is certainly an achievement, one that I probably couldn’t replicate myself. Nonetheless I feel the need to hold my terminal emulator to higher standards because it processes sensitive data and untrusted input with (inherently) poor isolation between the two. Until Ghostty I used Terminal.app for many years, having previously switched away from iTerm2 after the vulnerability discovered in 2017. That’s still what I recommend to people because it has a much smaller feature set and thus attack surface compared to iTerm.
I hope I didn´t sound like I did not believe you, I honestly had no idea. I don´t get an update for iTerm2 every week so I figured it was mostly stable / had no sec issue.
Following this discussion I decided to give Ghostty and kitty a try. I kept Ghostty, mainly because the shortcuts I use the most in iTerm2 are there and I like the default theme (yes, I'm a simple person.) It has less features / integrations I don´t use anyway so I guess the attack surface is smaller.
Probably true, but it still stings that this dubious piece of software (speaking as a former iTerm2 user still holding a grudge) had been spraying my passwords and random terminal activity all over the internet in the form of unencrypted DNS requests for who knows how long, deliberately, due to mindless opt-out featuritis on the part of the developer. In my mind this is one of the clearest violations of privacy and information security I've been directly subjected to, because the developer had some gee-whiz-neato idea of highlighting URLs in a terminal and making them clickable.
It pains me to think people are still exposing themselves to this class of risk because of whatever iTerm2's latest and greatest idea is.
I think it's very reasonable to point at the development model and go, "I think this is bad and specifically the cause for security vulnerabilities". If you want to make that your position (I am sure it is already, and I don't think it is particularly controversial) that is completely fine. But there's a difference between holding that and your actual comment. Like, this was 100% unintentional, and people literally introduce malicious or undesirable features in their software all the time. Maybe we should save the tarring and feathering for that, and come up with a more measured take for stuff like this?
What others am I missing?