StarDict sends X11 clipboard to remote servers [LWN subscriber-only content]
StarDict is a GPLv3-licensed cross-platform dictionary application. It includes dictionaries for a number of languages, and has a rich plugin ecosystem. It also has a glaring security problem: while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers.
On August 4, Vincent Lefevre reported the problem to the oss-security mailing list and to Debian's bug tracker. He identified it while testing his setup before the upcoming Debian 13 ("trixie") release. Installing StarDict will also install the stardict-plugin package by default, because the former recommends the latter. The plugins package contains a set of commonly used StarDict plugins, including a plugin for YouDao, a Chinese search engine that supplies Chinese-to-English translations. The plugin also contacts a second online Chinese dictionary, dict.cn.
This would normally not be much cause for concern; of course a dictionary program will include code to talk to dictionary-providing web sites. But one of StarDict's features, which is also enabled by default, is its "scan" functionality: it will watch the user's text selections (i.e. text highlighted with the mouse), and automatically provide translations as a pop-up. Taken together, the two features result in any selected text being sent to both servers. This only occurs while StarDict is open, but the application is designed to be left open in the background in case the user needs a quick reference while reading.
Like what you are reading? Try LWN for free for 1 month, no credit card required.
StarDict on Wayland doesn't have this problem, because Wayland prevents applications from being able to capture text from other applications by default. That does mean that it breaks StarDict's scan feature, though.
Xiao Sheng Wen, the Debian package maintainer for StarDict, didn't see a problem with the behavior, noting that if a user doesn't want to use the scan functionality or the YouDao plugin, both can be disabled. Lefevre wasn't satisfied with that, saying:
But this is not the whole point. Features with privacy concerns should never be enabled by default (unless the feature is the only purpose of the package, and such a package would never be installed automatically — and even in such a case, there should be a big warning first).
In response, Xiao pointed out that the package description can be read by any user who chooses to install the software, and it does mention the scan feature. That said, I noted during my investigation that the description of stardict-plugin did not mention that the YouDao plugin uses an online service instead of an offline dictionary. Xiao suggested splitting the networked dictionary plugins into a separate package, but was " not sure whether it's very necessary to do so ".
It is worth noting that the scan feature, while obviously a problem in this context, is one of the reasons that a user might choose to use StarDict over an alternative. Reading foreign-language media is often easier when words can be sought in a dictionary with as little fuss as possible. From that perspective, it makes sense that Xiao might not view the feature as problematic.
... continue reading