Article Details

Star leaky app of the week: StarDict. Fun feature found in Debian 13: send your selected text to China – in plaintext. As Trixie gets ready to début, a little-known app is hogging the limelight: StarDict, which sends whatever text you select, unencrypted, to servers in China. A discussion on the oss-security mailing list on OpenWall highlights an interesting feature of an apparently innocuous dictionary app that's included in Debian: StarDict, a Gtk app that looks up text and displays the definition in a tooltip. The alarm was raised by Vincent Lefèvre from INRIA in an email titled StarDict sends the user's X11 selection to the network: With some plugins, StarDict sends the user's X11 selection from other applications to some servers: dict.youdao.com and dict.cn (both Chinese servers). Debian developer Maytham Alsudany responded that this isn't a bug: Yes, that's a feature: it will lookup your selections in local and online dictionaries, and by default it searches English-Chinese dictionaries. You can disable it in the settings by enabling "Only scan while the modifier key is being pressed" under "Scan Selection," or disable the network dictionary plugins He's right, which leaves us honestly unsure how to categorize this behavior: it's not a bug exactly, nor an exploit, although it's definitely a vulnerability by most definitions. Even if the app is just doing what it says on the tin, Lefèvre responded: "Such a feature should have never been enabled by default," and has now filed bug #1110370. StarDict has been around for decades: it has its own Wikipedia entry, which documents development going back to 2003. This particular misfeature isn't new: an older version of the same app was already flagged as CVE-2009-2260 way back in 2009. What StarDict does is certainly useful. For comparison, Apple macOS has a similar function built in – it's called Look up, and in any native Mac app, you can select a word, right-click and pick Look up to get a definition. The difference is that macOS has a built-in Dictionary app so the Look up function doesn't need the internet to work. Linux has nothing like that, though, and if you look at the Debian package for StarDict, the online-dictionaries plug-in is one of its dependencies: (For clarity, rec is short for Recommended.) Before you recoil in shock, though, consider for whom this is intended. It's a Chinese tool, and although it can work numerous languages, it defaults to looking up definitions in Chinese. Standards of what sort of behavior is normal and totally unproblematic vary widely from country to country. Privacy standards vary more than many realize, and we can imagine that this sort of thing may seem quite innocuous to lots of people in China – and elsewhere in the world. We can imagine plenty of people thinking So, it sends whatever you select, but then a bare bank account number isn't a great risk, is it? We rather suspect that this is not acceptable to a great many of our readers, however. We suggest checking if the app is installed on your system, and if it is, removing it just in case. If they weren't smug enough already, Wayland users can relax: Wayland's default policy of isolating applications from one another means that on Wayland-based systems, StarDict can't see what you've selected. Bootnote Our thanks to Reg reader Sam L. for bringing this to our attention.